[Openvpn-devel,3/6] Extract update_session_cipher into standalone function

Message ID 20220621161649.2872985-3-arne@rfc2549.org
State New
Headers show
Series
  • [Openvpn-devel,1/6] Remove leftover frame_set_mtu_dynamic definitions in mtu.h
Related show

Commit Message

Arne Schwabe June 21, 2022, 4:16 p.m.
This allow the code later to check if the cipher is okay to use and
update it for the calculation for the max MTU size.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl.c     | 11 +----------
 src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++
 src/openvpn/ssl_ncp.h |  8 ++++++++
 3 files changed, 31 insertions(+), 10 deletions(-)

Comments

Frank Lichtenheld June 24, 2022, 8:06 a.m. | #1
Acked-By: Frank Lichtenheld <frank@lichtenheld.com>

Trivial code move.

On Tue, Jun 21, 2022 at 06:16:46PM +0200, Arne Schwabe wrote:
> This allow the code later to check if the cipher is okay to use and
> update it for the calculation for the max MTU size.
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
> ---
>  src/openvpn/ssl.c     | 11 +----------
>  src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++
>  src/openvpn/ssl_ncp.h |  8 ++++++++
>  3 files changed, 31 insertions(+), 10 deletions(-)
> 
> diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
> index 61dea996d..ddd90080b 100644
> --- a/src/openvpn/ssl.c
> +++ b/src/openvpn/ssl.c
> @@ -1678,17 +1678,8 @@ tls_session_update_crypto_params(struct tls_session *session,
>                                   struct frame *frame_fragment,
>                                   struct link_socket_info *lsi)
>  {
> -
> -    bool cipher_allowed_as_fallback = options->enable_ncp_fallback
> -                                      && streq(options->ciphername, session->opt->config_ciphername);
> -
> -    if (!session->opt->server && !cipher_allowed_as_fallback
> -        && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
> +    if (!update_session_cipher(session, options))
>      {
> -        msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
> -            options->ciphername, options->ncp_ciphers);
> -        /* undo cipher push, abort connection setup */
> -        options->ciphername = session->opt->config_ciphername;
>          return false;
>      }
>  
> diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
> index 564942503..c800f718f 100644
> --- a/src/openvpn/ssl_ncp.c
> +++ b/src/openvpn/ssl_ncp.c
> @@ -490,3 +490,25 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
>  
>      gc_free(&gc);
>  }
> +
> +
> +bool
> +update_session_cipher(struct tls_session *session, struct options *options)
> +{
> +    bool cipher_allowed_as_fallback = options->enable_ncp_fallback
> +                                      && streq(options->ciphername, session->opt->config_ciphername);
> +
> +    if (!session->opt->server && !cipher_allowed_as_fallback
> +        && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
> +    {
> +        msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
> +            options->ciphername, options->ncp_ciphers);
> +        /* undo cipher push, abort connection setup */
> +        options->ciphername = session->opt->config_ciphername;
> +        return false;
> +    }
> +    else
> +    {
> +        return true;
> +    }
> +}
> diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h
> index 853017f5f..5ba2f7ae7 100644
> --- a/src/openvpn/ssl_ncp.h
> +++ b/src/openvpn/ssl_ncp.h
> @@ -148,4 +148,12 @@ const char *
>  get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info,
>                     struct gc_arena *gc);
>  
> +
> +/**
> + * Checks if the cipher is allowed and updates the TLS session cipher with it,
> + * otherwise returns false
> + */
> +bool
> +update_session_cipher(struct tls_session *session, struct options *options);
> +
>  #endif /* ifndef OPENVPN_SSL_NCP_H */
> -- 
> 2.32.1 (Apple Git-133)
> 
> 
> 
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Patch

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 61dea996d..ddd90080b 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1678,17 +1678,8 @@  tls_session_update_crypto_params(struct tls_session *session,
                                  struct frame *frame_fragment,
                                  struct link_socket_info *lsi)
 {
-
-    bool cipher_allowed_as_fallback = options->enable_ncp_fallback
-                                      && streq(options->ciphername, session->opt->config_ciphername);
-
-    if (!session->opt->server && !cipher_allowed_as_fallback
-        && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
+    if (!update_session_cipher(session, options))
     {
-        msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
-            options->ciphername, options->ncp_ciphers);
-        /* undo cipher push, abort connection setup */
-        options->ciphername = session->opt->config_ciphername;
         return false;
     }
 
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 564942503..c800f718f 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -490,3 +490,25 @@  p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
 
     gc_free(&gc);
 }
+
+
+bool
+update_session_cipher(struct tls_session *session, struct options *options)
+{
+    bool cipher_allowed_as_fallback = options->enable_ncp_fallback
+                                      && streq(options->ciphername, session->opt->config_ciphername);
+
+    if (!session->opt->server && !cipher_allowed_as_fallback
+        && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
+    {
+        msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
+            options->ciphername, options->ncp_ciphers);
+        /* undo cipher push, abort connection setup */
+        options->ciphername = session->opt->config_ciphername;
+        return false;
+    }
+    else
+    {
+        return true;
+    }
+}
diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h
index 853017f5f..5ba2f7ae7 100644
--- a/src/openvpn/ssl_ncp.h
+++ b/src/openvpn/ssl_ncp.h
@@ -148,4 +148,12 @@  const char *
 get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info,
                    struct gc_arena *gc);
 
+
+/**
+ * Checks if the cipher is allowed and updates the TLS session cipher with it,
+ * otherwise returns false
+ */
+bool
+update_session_cipher(struct tls_session *session, struct options *options);
+
 #endif /* ifndef OPENVPN_SSL_NCP_H */