From patchwork Fri Apr 22 03:40:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2385 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id UJvXABW7YmKPOwAAqwncew (envelope-from ) for ; Fri, 22 Apr 2022 10:26:29 -0400 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id uEuhFBW7YmIcBwAAeJ7fFg (envelope-from ) for ; Fri, 22 Apr 2022 10:26:29 -0400 Received: from smtp11.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTPS id CAFRFBW7YmJqXQAAetu3IA (envelope-from ) for ; Fri, 22 Apr 2022 10:26:29 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 328396e2-c248-11ec-88cb-5254005f837b-1-1 Received: from [216.105.38.7] ([216.105.38.7:37368] helo=lists.sourceforge.net) by smtp11.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id BB/A8-02354-41BB2626; Fri, 22 Apr 2022 10:26:28 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nhuE8-0000Ch-D5; Fri, 22 Apr 2022 14:25:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nhuE5-0000Ca-FC for openvpn-devel@lists.sourceforge.net; Fri, 22 Apr 2022 14:25:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=cuO4ll1i5j2hLpG551hY2DGvzodHtnNjUJWl3Q/4HOM=; b=AzKR8hg6b/Y11B1FW/dkUEaMfF cBCT3QEnahml71xfDT3ryJqpYPAIFEC04apVfY7ybmt2C93+lCS29Tw9WTXo58WopE1ptN5qr7G70 fTorzwZfsg4jG4fVgb1Mgiqg2sw7das5hZmyuhtB0gTvrEC6gSIhH8HZHB6N5EdzSNXs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=cuO4ll1i5j2hLpG551hY2DGvzodHtnNjUJWl3Q/4HOM=; b=fj+z5wZNeGR4/Ii/cbyI3zYw8O BYutLDCQHnrNtEdOQaxWenxvWXG7iTR2D1yhE5QCs2E4cbDka13FYuG+3kVAKylEzgNmxej22CyjS 6cIUId1Fj/bVdJA7AiVTq6CpYUCuvLC61ScRv/J8MXn9a4/g1NNA8XKM2WNYjpORXZ2o=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nhuE2-0005Jp-D8 for openvpn-devel@lists.sourceforge.net; Fri, 22 Apr 2022 14:25:34 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1nhtWY-0008sL-K2 for openvpn-devel@lists.sourceforge.net; Fri, 22 Apr 2022 15:40:38 +0200 Received: (nullmailer pid 3801294 invoked by uid 10006); Fri, 22 Apr 2022 13:40:38 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 22 Apr 2022 15:40:32 +0200 Message-Id: <20220422134038.3801239-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220422134038.3801239-1-arne@rfc2549.org> References: <20220422134038.3801239-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This prepares for extending this function with the HMAC based session ID check. Signed-off-by: Arne Schwabe --- src/openvpn/mudp.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1nhuE2-0005Jp-D8 Subject: [Openvpn-devel] [PATCH 03/28] Move pre decrypt lite check to its own function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This prepares for extending this function with the HMAC based session ID check. Signed-off-by: Arne Schwabe --- src/openvpn/mudp.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 4fbe3c1a3..910268333 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -39,6 +39,20 @@ #include #endif +static bool +do_pre_decrypt_check(struct multi_context *m) +{ + if (!m->top.c2.tls_auth_standalone) + { + return false; + } + if (!tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)) + { + return false; + } + return true; +} + /* * Get a client instance based on real address. If * the instance doesn't exist, create it while @@ -95,8 +109,7 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated) } if (!mi) { - if (!m->top.c2.tls_auth_standalone - || tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)) + if (do_pre_decrypt_check(m)) { if (frequency_limit_event_allowed(m->new_connection_limiter)) {