From patchwork Thu Apr 22 05:17:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1763 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.27.255.58]) by backend30.mail.ord1d.rsapps.net with LMTP id OLltCseTgWBKKwAAIUCqbw (envelope-from ) for ; Thu, 22 Apr 2021 11:18:31 -0400 Received: from proxy3.mail.iad3a.rsapps.net ([172.27.255.58]) by director14.mail.ord1d.rsapps.net with LMTP id uLg5CseTgWBKcQAAeJ7fFg (envelope-from ) for ; Thu, 22 Apr 2021 11:18:31 -0400 Received: from smtp34.gate.iad3a ([172.27.255.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.iad3a.rsapps.net with LMTPS id ODj3AceTgWCXMQAAYaqY3Q (envelope-from ) for ; Thu, 22 Apr 2021 11:18:31 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: fd262eea-a37d-11eb-95ec-525400865cc7-1-1 Received: from [216.105.38.7] ([216.105.38.7:40270] helo=lists.sourceforge.net) by smtp34.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 18/58-25307-4C391806; Thu, 22 Apr 2021 11:18:29 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lZb5J-0005ck-A1; Thu, 22 Apr 2021 15:17:41 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZb5I-0005cG-4E for openvpn-devel@lists.sourceforge.net; Thu, 22 Apr 2021 15:17:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=S0IX+At3kQP2xPhFkNwfixyNITDcsgwJsG7hKyXaaR4=; b=GkGiihxqjFP4VIJ1ZjRozWn2cC r5hJoMiDvWtlj7bslTZ7l3hurCFJJHUyLmtpGjJZvtaYHagS8WTsJccWm/XYbkBdXYnW2mYCu/Apo ozmvsi9FMJ1jX2/a1UXPM9089/Y/Lc1aZ3V7QA9coMPE18DPipyrZnB9rlI76a/6JhcE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=S0IX+At3kQP2xPhFkNwfixyNITDcsgwJsG7hKyXaaR4=; b=I zeS/8p/bgw9f3arZLIt87cmgVemVnzxhlwiAc+CK2FhQ3L+h1ac1OzhqrU31n6n54ZN3OY7JB0uTM 0ZQWPt/eBiwaQEDuxORASnPkVaiEeOi0Rmz1IHyrjuC0rAxSInAY8p/7YfmMoHVltztFzxkl2NUnM lvJYUgBbYeg2ZZjI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1lZb5E-00DGRB-Fq for openvpn-devel@lists.sourceforge.net; Thu, 22 Apr 2021 15:17:40 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lZb52-000B5M-6w for openvpn-devel@lists.sourceforge.net; Thu, 22 Apr 2021 17:17:24 +0200 Received: (nullmailer pid 2132619 invoked by uid 10006); Thu, 22 Apr 2021 15:17:24 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 22 Apr 2021 17:17:18 +0200 Message-Id: <20210422151724.2132573-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lZb5E-00DGRB-Fq Subject: [Openvpn-devel] [PATCH 1/7] Move tls_select_primary_key into its own function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox tls_pre_encrypt mainly performs the task of selecting the primary encryption key but also performs other minor tasks. To allow only querying for the key that should be used for encryption extract this part of the function into its own function. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/ssl.c | 36 +++++++++++++++++++++--------------- src/openvpn/ssl.h | 10 ++++++++++ 2 files changed, 31 insertions(+), 15 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 3921b3ba9..3bc84e02c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3820,27 +3820,15 @@ error: return false; } -/* Choose the key with which to encrypt a data packet */ -void -tls_pre_encrypt(struct tls_multi *multi, - struct buffer *buf, struct crypto_options **opt) +struct key_state *tls_select_encryption_key(struct tls_multi *multi) { - multi->save_ks = NULL; - if (buf->len <= 0) - { - buf->len = 0; - *opt = NULL; - return; - } - struct key_state *ks_select = NULL; for (int i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = get_key_scan(multi, i); if (ks->state >= S_ACTIVE - && (ks->authenticated == KS_AUTH_TRUE) - && ks->crypto_options.key_ctx_bi.initialized - ) + && ks->authenticated == KS_AUTH_TRUE + && ks->crypto_options.key_ctx_bi.initialized) { if (!ks_select) { @@ -3853,6 +3841,24 @@ tls_pre_encrypt(struct tls_multi *multi, } } } + return ks_select; +} + + +/* Choose the key with which to encrypt a data packet */ +void +tls_pre_encrypt(struct tls_multi *multi, + struct buffer *buf, struct crypto_options **opt) +{ + multi->save_ks = NULL; + if (buf->len <= 0) + { + buf->len = 0; + *opt = NULL; + return; + } + + struct key_state *ks_select = tls_select_encryption_key(multi); if (ks_select) { diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 6369e8bf6..135c60732 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -372,6 +372,16 @@ bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt); +/** + * Selects the primary encryption that should be used to encrypt data of an + * outgoing packet. + * @ingroup data_crypto + * + * If no key is found NULL is returned instead. + * + * @param multi - The TLS state for this packet's destination VPN tunnel. + */ +struct key_state *tls_select_encryption_key(struct tls_multi *multi); /** * Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.