From patchwork Fri Oct 9 03:47:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 1511 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id QGTqIHB4gF/GWQAAIUCqbw (envelope-from ) for ; Fri, 09 Oct 2020 10:49:20 -0400 Received: from proxy2.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id kAPxIHB4gF88dQAAIasKDg (envelope-from ) for ; Fri, 09 Oct 2020 10:49:20 -0400 Received: from smtp11.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1d.rsapps.net with LMTPS id qBJcIHB4gF9iagAAfawv4w (envelope-from ) for ; Fri, 09 Oct 2020 10:49:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=fail (p=none; dis=none) header.from=karger.me X-Suspicious-Flag: YES X-Classification-ID: 9c132e88-0a3e-11eb-80fe-5254005f837b-1-1 Received: from [216.105.38.7] ([216.105.38.7:54402] helo=lists.sourceforge.net) by smtp11.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4C/31-24130-F68708F5; Fri, 09 Oct 2020 10:49:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kQth2-0003cD-Vf; Fri, 09 Oct 2020 14:48:25 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kQth1-0003c5-1w for openvpn-devel@lists.sourceforge.net; Fri, 09 Oct 2020 14:48:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=vN2jen7buWafy0APXq+SrQsfpI2Sb6o6nlx5uXjACmQ=; b=X+gzghtzOPtvSN+uhHCV12ykDE 4IxqZvqTZLJnm9ueSUj2mAzuro0nSanoNNggSAqPXg6tAKmEMjfouuZXXkGMVVns+E07NPwO7tzSe MRVX7qgY3yG8WAyaRchaDWdjih655KNhu4h8XGj5esyeLAO+OHKkLRInKyzO1hDj/ZxI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=vN2jen7buWafy0APXq+SrQsfpI2Sb6o6nlx5uXjACmQ=; b=d v9vBttqQdR7ciejfTjo9CniNmzHMke5E3FbmpH3T3Nfd5sB3YqXkcICXuyy89iUGl0dmlJ2wOxKuu Tc5fJNVb4Xv+G2OpFQzX0EsMwtC+9FI2lKmXG1Q0YsiCZmZLLN79MeCOYPl3zI1CyHmXnzWNGTNzS l1c+p3or5qi8MjNs=; Received: from mail-ej1-f66.google.com ([209.85.218.66]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1kQtgq-008Z4F-Cl for openvpn-devel@lists.sourceforge.net; Fri, 09 Oct 2020 14:48:22 +0000 Received: by mail-ej1-f66.google.com with SMTP id qp15so13471858ejb.3 for ; Fri, 09 Oct 2020 07:48:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=vN2jen7buWafy0APXq+SrQsfpI2Sb6o6nlx5uXjACmQ=; b=rw5asPMMxVrjBDjvN/10+Ejwd6+pKVuzebxyS2EnlFqOyqemknHh3SCcBFXft6XdIm O8Ii2cvg6UuBGqxMnISSYDaRX8ROovyIFKDleUyJ/IwLrtghyJ/ut3BuZnMyQYxp7nsz tmuUWYa/h75ATJcizyK+MrRzyuScNFM7SGZTnis9DG20Oahyz45Ge5HJIhLbBH86ULF6 iGl2fbBde+bxK6bVc0o9n5ZFcJI8MOsrvr05miCOyDWgQnAiO1jsK0Ddj0l6KBv+m7R0 uqi1GfdBIs/SjWShEQ/zU7aqElz9E1pWEEWTxEyYgPYLoQwC5QwrZQuogAYnIQqbQOhL yezQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=vN2jen7buWafy0APXq+SrQsfpI2Sb6o6nlx5uXjACmQ=; b=D2DtgiPQtC1hj314xTvwRTJXW/f+oOiqYCpu/kXzfgcG9/GFnnVLpmUdCMzSAFH7yd CA0b36OV8IAKLLS7KyU4U76utEI7VK9KwmfjkgHbFXGSQTXiHYNsl6yh/sYfrE9WGrVt IIgppd4Gr5ERK5Xfawu8JjRvV8/t7gV/L2j/dZYYojI1TB4RGvWA324pEjARZRpcMp09 HRlwtlJ9APgLNpkpKOohrwGEMNYx/cOaojUjZXAgH2OCOtRsxG57aSS3s/h7dbg8eUzU nqfd3CrJe5JK/kUplZ12SVkESkrjFYilk9PuZZGYbXJay+c0KAM87Rw4yd9yGyBOP2oz pk8g== X-Gm-Message-State: AOAM531wx6yzoDKiBHUqOW/ubfeSX73Kuu29G2sV9y3B6d1mSJhUo7EC aEKXVdWd6dFbFPKpwcX9tcAh32I8kt1Zi0X6 X-Google-Smtp-Source: ABdhPJwzfNMMQRo/3zL4Ew6Pi5vg9Ao4cUEKQD+nt2kN3GfVNU0tVA3CYleP8oh5zBC+gZV1BdTTSA== X-Received: by 2002:a17:906:3852:: with SMTP id w18mr10753411ejc.551.1602254885493; Fri, 09 Oct 2020 07:48:05 -0700 (PDT) Received: from luna.fritz.box ([2001:985:e54:1:f923:d0d0:b8dd:5bfa]) by smtp.gmail.com with ESMTPSA id v2sm6506235ejh.57.2020.10.09.07.48.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Oct 2020 07:48:04 -0700 (PDT) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Fri, 9 Oct 2020 16:47:55 +0200 Message-Id: <20201009144755.39719-1-steffan@karger.me> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: karger.me] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.218.66 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.218.66 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1kQtgq-008Z4F-Cl Subject: [Openvpn-devel] [PATCH] Simplify key material exporter backend API X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Just pass pointer and length, instead of a gc and return (possibly) allocated memory. Saves us some gc instantiations and memcpy()s. Exact same functionality, 19 lines less code. (Didn't want to delay the TLS EKM reviews for this, so submitted as a patch afterwards.) Signed-off-by: Steffan Karger Acked-By: Arne Schwabe --- src/openvpn/ssl.c | 26 ++++++++------------------ src/openvpn/ssl_backend.h | 14 +++++--------- src/openvpn/ssl_mbedtls.c | 12 +++++------- src/openvpn/ssl_openssl.c | 11 ++++------- 4 files changed, 22 insertions(+), 41 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index b572b7b8..87b51d96 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1786,23 +1786,14 @@ init_key_contexts(struct key_ctx_bi *key, static bool generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2) { - struct gc_arena gc = gc_new(); - unsigned char *key2data; - - key2data = key_state_export_keying_material(session, - EXPORT_KEY_DATA_LABEL, - strlen(EXPORT_KEY_DATA_LABEL), - sizeof(key2->keys), - &gc); - if (!key2data) + if (!key_state_export_keying_material(session, EXPORT_KEY_DATA_LABEL, + strlen(EXPORT_KEY_DATA_LABEL), + key2->keys, sizeof(key2->keys))) { return false; } - memcpy(key2->keys, key2data, sizeof(key2->keys)); - secure_memzero(key2data, sizeof(key2->keys)); key2->n = 2; - gc_free(&gc); return true; } @@ -2499,12 +2490,11 @@ export_user_keying_material(struct key_state_ssl *ssl, unsigned int size = session->opt->ekm_size; struct gc_arena gc = gc_new(); - unsigned char *ekm; - if ((ekm = key_state_export_keying_material(session, - session->opt->ekm_label, - session->opt->ekm_label_size, - session->opt->ekm_size, - &gc))) + unsigned char *ekm = gc_malloc(session->opt->ekm_size, true, &gc); + if (key_state_export_keying_material(session, + session->opt->ekm_label, + session->opt->ekm_label_size, + ekm, session->opt->ekm_size)) { unsigned int len = (size * 2) + 2; diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 4bcb3181..c3d12e5b 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -398,18 +398,14 @@ void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, * @param session The session associated with the given key_state * @param label The label to use when exporting the key * @param label_size The size of the label to use when exporting the key - * @param ekm_size THe size of the exported/returned key material - * @param gc gc_arena that might be used to allocate the string - * returned - * @returns The exported key material, the caller may zero the - * string but should not free it + * @param ekm Buffer to return the exported key material in + * @param ekm_size The size of ekm, in bytes + * @returns true if exporting succeeded, false otherwise */ - -unsigned char* +bool key_state_export_keying_material(struct tls_session *session, const char* label, size_t label_size, - size_t ekm_size, - struct gc_arena *gc) __attribute__((nonnull)); + void *ekm, size_t ekm_size); /**************************************************************************/ /** @addtogroup control_tls diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index f375e957..bb5633b7 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -219,11 +219,10 @@ mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms, return true; } -unsigned char * +bool key_state_export_keying_material(struct tls_session *session, const char* label, size_t label_size, - size_t ekm_size, - struct gc_arena *gc) + void *ekm, size_t ekm_size) { ASSERT(strlen(label) == label_size); @@ -233,10 +232,9 @@ key_state_export_keying_material(struct tls_session *session, * there is no PRF, in both cases we cannot generate key material */ if (cache->tls_prf_type == MBEDTLS_SSL_TLS_PRF_NONE) { - return NULL; + return false; } - unsigned char *ekm = (unsigned char *) gc_malloc(ekm_size, true, gc); int ret = mbedtls_ssl_tls_prf(cache->tls_prf_type, cache->master_secret, sizeof(cache->master_secret), label, cache->client_server_random, @@ -245,12 +243,12 @@ key_state_export_keying_material(struct tls_session *session, if (mbed_ok(ret)) { - return ekm; + return true; } else { secure_memzero(ekm, session->opt->ekm_size); - return NULL; + return false; } } #else diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index f52c7c39..122083a8 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -158,26 +158,23 @@ tls_ctx_initialised(struct tls_root_ctx *ctx) return NULL != ctx->ctx; } -unsigned char* +bool key_state_export_keying_material(struct tls_session *session, const char* label, size_t label_size, - size_t ekm_size, - struct gc_arena *gc) + void *ekm, size_t ekm_size) { - unsigned char *ekm = (unsigned char *) gc_malloc(ekm_size, true, gc); - SSL* ssl = session->key[KS_PRIMARY].ks_ssl.ssl; if (SSL_export_keying_material(ssl, ekm, ekm_size, label, label_size, NULL, 0, 0) == 1) { - return ekm; + return true; } else { secure_memzero(ekm, ekm_size); - return NULL; + return false; } }