From patchwork Mon Jan 25 01:56:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1579 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id 6KmsOUjADmDzLgAAIUCqbw (envelope-from ) for ; Mon, 25 Jan 2021 07:57:44 -0500 Received: from proxy1.mail.ord1c.rsapps.net ([172.28.255.1]) by director12.mail.ord1d.rsapps.net with LMTP id gKSNOUjADmC5ZwAAIasKDg (envelope-from ) for ; Mon, 25 Jan 2021 07:57:44 -0500 Received: from smtp40.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1c.rsapps.net with LMTPS id QOxnOUjADmBfdQAA2VeTtA (envelope-from ) for ; Mon, 25 Jan 2021 07:57:44 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp40.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: ea59c296-5f0c-11eb-ae77-525400b3abc9-1-1 Received: from [216.105.38.7] ([216.105.38.7:41568] helo=lists.sourceforge.net) by smtp40.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id DF/7B-17176-840CE006; Mon, 25 Jan 2021 07:57:44 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1l41QV-0004wK-29; Mon, 25 Jan 2021 12:57:03 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l41QF-0004rt-3D for openvpn-devel@lists.sourceforge.net; Mon, 25 Jan 2021 12:56:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+7IoKGWNPS0oGst8IbmGhCnIukMULBNO/eHMhXYl24g=; b=OdXPpZkA6tFaS5c4VEjVYCBtr2 17M/F+N/a0eoIfmcnCaZeMoJwZF7OXMFjMFWCwUBmmIEz9jN0f9wJewALgRGCkFpR+XYNwsrq9scF pxxtmCtzPmrVux3oUOS0hPPi9Tn7fpcnF5AEAo20hmvUtI2GtF/HfHEOfYwvOpL3tlpw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+7IoKGWNPS0oGst8IbmGhCnIukMULBNO/eHMhXYl24g=; b=JtY+pI9ZrnbiTIpZcOCGRGyZik Bq0qOZ1fCiwcZiMU6VJMqUxI3A+600A/cVo8j6igqhgIA7RgB8L6j9n52RTfoJwP/RhvsY1xVGfYg bwgWGeYZ0EntyMx4a/N/AbXkLwfE7uibPD+ypM1smSa/C+CJgLGlc2nK25hcHQUt8wGs=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1l41QB-006gWv-9t for openvpn-devel@lists.sourceforge.net; Mon, 25 Jan 2021 12:56:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1l41Px-0007X9-4z for openvpn-devel@lists.sourceforge.net; Mon, 25 Jan 2021 13:56:29 +0100 Received: (nullmailer pid 30429 invoked by uid 10006); Mon, 25 Jan 2021 12:56:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 25 Jan 2021 13:56:24 +0100 Message-Id: <20210125125628.30364-8-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210125125628.30364-1-arne@rfc2549.org> References: <20210125125628.30364-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1l41QB-006gWv-9t Subject: [Openvpn-devel] [PATCH v2 07/11] Refactor extract_var_peer_info into standalone function and add ssl_util.c X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Our "natural" place for this function would be ssl.c but ssl.c has a lot of dependencies on all kinds of other compilation units so including ssl.c into unit tests is near impossible currently. Instead create a new file ssl_util.c that holds small utility functions like this one. Patch v2: add newline add the end of sll_util.h and ssl_util.c Signed-off-by: Arne Schwabe Acked-by: Lev Stipakov --- src/openvpn/Makefile.am | 1 + src/openvpn/openvpn.vcxproj | 2 + src/openvpn/openvpn.vcxproj.filters | 6 +++ src/openvpn/ssl.c | 2 +- src/openvpn/ssl_ncp.c | 20 ++-------- src/openvpn/ssl_util.c | 59 ++++++++++++++++++++++++++++ src/openvpn/ssl_util.h | 49 +++++++++++++++++++++++ src/openvpn/ssl_verify.c | 1 + tests/unit_tests/openvpn/Makefile.am | 3 +- 9 files changed, 125 insertions(+), 18 deletions(-) create mode 100644 src/openvpn/ssl_util.c create mode 100644 src/openvpn/ssl_util.h diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 37b002c6..ec84929b 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -119,6 +119,7 @@ openvpn_SOURCES = \ ssl_openssl.c ssl_openssl.h \ ssl_mbedtls.c ssl_mbedtls.h \ ssl_ncp.c ssl_ncp.h \ + ssl_util.c ssl_util.h \ ssl_common.h \ ssl_verify.c ssl_verify.h ssl_verify_backend.h \ ssl_verify_openssl.c ssl_verify_openssl.h \ diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 3863854b..cf31940c 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -212,6 +212,7 @@ + @@ -300,6 +301,7 @@ + diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters index cf5748c7..e8aed2c5 100644 --- a/src/openvpn/openvpn.vcxproj.filters +++ b/src/openvpn/openvpn.vcxproj.filters @@ -243,6 +243,9 @@ Source Files + + Source Files + @@ -509,6 +512,9 @@ Header Files + + Header Files + diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 14c8116f..f59b409f 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -4201,4 +4201,4 @@ void ssl_clean_user_pass(void) { purge_user_pass(&auth_user_pass, false); -} +} \ No newline at end of file diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 45bddbe0..f02a3103 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -48,6 +48,7 @@ #include "common.h" #include "ssl_ncp.h" +#include "ssl_util.h" #include "openvpn.h" /** @@ -195,23 +196,10 @@ const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc) { /* Check if the peer sends the IV_CIPHERS list */ - const char *ncp_ciphers_start; - if (peer_info && (ncp_ciphers_start = strstr(peer_info, "IV_CIPHERS="))) + const char *iv_ciphers = extract_var_peer_info(peer_info,"IV_CIPHERS=", gc); + if (iv_ciphers) { - ncp_ciphers_start += strlen("IV_CIPHERS="); - const char *ncp_ciphers_end = strstr(ncp_ciphers_start, "\n"); - if (!ncp_ciphers_end) - { - /* IV_CIPHERS is at end of the peer_info list and no '\n' - * follows */ - ncp_ciphers_end = ncp_ciphers_start + strlen(ncp_ciphers_start); - } - - char *ncp_ciphers_peer = string_alloc(ncp_ciphers_start, gc); - /* NULL terminate the copy at the right position */ - ncp_ciphers_peer[ncp_ciphers_end - ncp_ciphers_start] = '\0'; - return ncp_ciphers_peer; - + return iv_ciphers; } else if (tls_peer_info_ncp_ver(peer_info)>=2) { diff --git a/src/openvpn/ssl_util.c b/src/openvpn/ssl_util.c new file mode 100644 index 00000000..d6ead462 --- /dev/null +++ b/src/openvpn/ssl_util.c @@ -0,0 +1,59 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2020 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#include "ssl_util.h" + +char * +extract_var_peer_info(const char *peer_info, const char *var, + struct gc_arena *gc) +{ + const char *var_start; + + if (peer_info && (var_start = strstr(peer_info, var))) + { + var_start += strlen(var); + const char *var_end = strstr(var_start, "\n"); + if (!var_end) + { + /* var is at end of the peer_info list and no '\n' + * follows */ + var_end = var_start + strlen(var_start); + } + + char *ncp_ciphers_peer = string_alloc(var_start, gc); + /* NULL terminate the copy at the right position */ + ncp_ciphers_peer[var_end - var_start] = '\0'; + return ncp_ciphers_peer; + } + else + { + return NULL; + } +} diff --git a/src/openvpn/ssl_util.h b/src/openvpn/ssl_util.h new file mode 100644 index 00000000..bc2ae30d --- /dev/null +++ b/src/openvpn/ssl_util.h @@ -0,0 +1,49 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2020 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/** + * @file SSL utility function. This file (and its .c file) is designed to + * to be included in units/etc without pulling in a lot of dependencies + */ + +#ifndef SSL_UTIL_H_ +#define SSL_UTIL_H_ + +#include "buffer.h" + +/** + * Extracts a variable from peer info, the returned string will be allocated + * using the supplied gc_arena + * + * @param peer_info The peer's peer_info + * @param var The variable *including* =, e.g. IV_CIPHERS= + * + * @return The content of the variable as NULL terminated string or NULL if the + * variable cannot be found. + */ +char * +extract_var_peer_info(const char *peer_info, + const char *var, + struct gc_arena *gc); + +#endif diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index e04c5c35..e0ef399f 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -46,6 +46,7 @@ #endif #include "auth_token.h" #include "push.h" +#include "ssl_util.h" /** Maximum length of common name */ #define TLS_USERNAME_LEN 64 diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index f0880a6b..50f3a02e 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -125,4 +125,5 @@ ncp_testdriver_SOURCES = test_ncp.c mock_msg.c \ $(openvpn_srcdir)/crypto_openssl.c \ $(openvpn_srcdir)/otime.c \ $(openvpn_srcdir)/packet_id.c \ - $(openvpn_srcdir)/platform.c + $(openvpn_srcdir)/platform.c \ + $(openvpn_srcdir)/ssl_util.c