From patchwork Tue Mar 24 04:46:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom van Leeuwen X-Patchwork-Id: 1048 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id EHIOBmA6el79DQAAIUCqbw for ; Tue, 24 Mar 2020 12:50:40 -0400 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id gP3RBWA6el4tKwAAvGGmqA ; Tue, 24 Mar 2020 12:50:40 -0400 Received: from smtp36.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTP id cBfiBGA6el4NbgAAetu3IA ; Tue, 24 Mar 2020 12:50:40 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp36.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=technolution.nl; dmarc=none (p=nil; dis=none) header.from=technolution.nl X-Suspicious-Flag: YES X-Classification-ID: 96ad4db6-6def-11ea-909f-525400c11307-1-1 Received: from [216.105.38.7] ([216.105.38.7:33862] helo=lists.sourceforge.net) by smtp36.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 8E/A3-15791-E5A3A7E5; Tue, 24 Mar 2020 12:50:38 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jGmkB-0000CD-PN; Tue, 24 Mar 2020 16:49:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jGmk8-0000C4-Ea for openvpn-devel@lists.sourceforge.net; Tue, 24 Mar 2020 16:49:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=BUTN0UJGk+Lh58n71Yw3QNSYu2KNQuGWSyzWZnQBvs0=; b=RkI7laWKkb22CDYbSzj9JyqcMC HyrhUGPdWgkAQbkuD3CXJjN0QeFDCRIrlq13MxPEDhrBsNufW2xxRAmSPceyUNYigU6e8T7a4p5dL TSagBTEqaeDGm5GLv3yAc8gA7cJjDT5mBKNwlMLEEvGN1fQjY8V+9+3XyJPcnI8bt/wY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=BUTN0UJGk+Lh58n71Yw3QNSYu2KNQuGWSyzWZnQBvs0=; b=RVh/X8MrPDuVareLwMolZi1dAQ qKupx19WmBes4YMYoo3wFALzRlFnz7lgqkYVtJTb0iBBMG8NlJaUcDosWrU9uidfxOM/mp2QQkivx yySb8gdbR7k/DLA4yCyqo4UJOX7a3mB7zqE2xHF2OkE+Od622ov6IXZ+eTL0HWW3QOWw=; Received: from mail-lj1-f228.google.com ([209.85.208.228]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1jGmk0-00263k-Kl for openvpn-devel@lists.sourceforge.net; Tue, 24 Mar 2020 16:49:32 +0000 Received: by mail-lj1-f228.google.com with SMTP id g12so19355831ljj.3 for ; Tue, 24 Mar 2020 09:49:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=technolution.nl; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=BUTN0UJGk+Lh58n71Yw3QNSYu2KNQuGWSyzWZnQBvs0=; b=CCKcRxRQOW2kenlznahPb8wiq1oFBuUfHsu8ZU6mCR0dFoZ5iL+U2B8hv/pPqCX6P4 tHHCu7GwE6rCCc3sC6Popgz1RhnVZVsV6nokJLKHKWdal54gLghiiCiRgxBCeGYVji0k TkpFPs21j52HOgXaXZEn8gE+E7XAobMK2uu+I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BUTN0UJGk+Lh58n71Yw3QNSYu2KNQuGWSyzWZnQBvs0=; b=e/hqBLecl5megt26MaFEDP5ijq2FjldKk04bQ+OyfdUFqDUwCVlC1Jc08THgzjnMA1 KplPNxhmb4QJydnGHpTn06r0Kj8FOHJomhgye7cYMhMaFHrGVMQ/gw0MLa1aTuQP2Xc+ oK9c4HWbWBxEYtSW6xfPZUBHcPh8CR8Yv8nkEC69eDJiOHNldPbQp2JzY7P6JwbGsofu 4+fngIn7YyaFGx9SBVdEzZWIE8vPDF2ssgmusngsY3STUpWQrwx8toZPq6iDhdzASFnH 8kg3TAZzyzWEDr/JrsAZ9L+yz+lAD3qRp1EgURHt7CBvRJ8BHGn0AA/PZhAq1l/HR045 TxPQ== X-Gm-Message-State: ANhLgQ1lvQuIcG0eMb4leudjrqf2RtAEq45leId+vTs9OSAaDLFAUhza PGJnvKaZj4eXXEn/euxmTFM2fLybxRGnAg8OY9CnPYR/CRJ8HA== X-Google-Smtp-Source: ADFU+vuvfnu5DPMTFMpT3bglw90p/DgEf2iS31PF0tGJeKhEHkPVwa+rT+mKEH1x1LXxIjoGfXc9FmF/t02e X-Received: by 2002:a17:906:5c0f:: with SMTP id e15mr23125830ejq.159.1585064795070; Tue, 24 Mar 2020 08:46:35 -0700 (PDT) Received: from techmail.intranet.technolution.nl ([90.145.31.218]) by smtp-relay.gmail.com with ESMTP id f27sm28164eja.72.2020.03.24.08.46.35; Tue, 24 Mar 2020 08:46:35 -0700 (PDT) X-Relaying-Domain: technolution.nl Received: from spike.intranet.technolution.nl (spike.intranet.technolution.nl [172.16.1.40]) by techmail.intranet.technolution.nl (Postfix) with ESMTP id EDA632154D86; Tue, 24 Mar 2020 16:46:34 +0100 (CET) Received: by spike.intranet.technolution.nl (Postfix, from userid 750005778) id E990A3F61F; Tue, 24 Mar 2020 16:46:34 +0100 (CET) From: Tom van Leeuwen To: openvpn-devel@lists.sourceforge.net Date: Tue, 24 Mar 2020 16:46:30 +0100 Message-Id: <20200324154630.15560-1-tom.van.leeuwen@technolution.nl> X-Mailer: git-send-email 2.21.0 In-Reply-To: <6c0abd28-0767-825c-5e08-3b054a6f8cc7@technolution.eu> References: <6c0abd28-0767-825c-5e08-3b054a6f8cc7@technolution.eu> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: technolution.eu] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.228 listed in list.dnswl.org] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records X-Headers-End: 1jGmk0-00263k-Kl Subject: [Openvpn-devel] mbedTLS: Make sure TLS session survives move X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Tom van Leeuwen Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Tom van Leeuwen When an mbedTLS session is moved in move_session(), the contents of the the tls_session is copied to the new session and the old session is reinitialized. This tls_session contains, amongst other things, an mbedtls_ssl_config and bio_ctx structure. However, the mbedtls context has internal pointers to the mbedtls_ssl_config and bio_ctx. When the session is moved, these internal pointers point to the reinitialized session. Since there is no public method to update these internal pointers, this patch allocates the mbedtls_ssl_config and bio_ctx on the heap and stores the pointers in the tls_session instead. diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 0f0b035b..4f194ad7 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1036,21 +1036,22 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, CLEAR(*ks_ssl); /* Initialise SSL config */ - mbedtls_ssl_config_init(&ks_ssl->ssl_config); - mbedtls_ssl_config_defaults(&ks_ssl->ssl_config, ssl_ctx->endpoint, + ALLOC_OBJ_CLEAR(ks_ssl->ssl_config, mbedtls_ssl_config); + mbedtls_ssl_config_init(ks_ssl->ssl_config); + mbedtls_ssl_config_defaults(ks_ssl->ssl_config, ssl_ctx->endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); #ifdef MBEDTLS_DEBUG_C mbedtls_debug_set_threshold(3); #endif - mbedtls_ssl_conf_dbg(&ks_ssl->ssl_config, my_debug, NULL); - mbedtls_ssl_conf_rng(&ks_ssl->ssl_config, mbedtls_ctr_drbg_random, + mbedtls_ssl_conf_dbg(ks_ssl->ssl_config, my_debug, NULL); + mbedtls_ssl_conf_rng(ks_ssl->ssl_config, mbedtls_ctr_drbg_random, rand_ctx_get()); - mbedtls_ssl_conf_cert_profile(&ks_ssl->ssl_config, &ssl_ctx->cert_profile); + mbedtls_ssl_conf_cert_profile(ks_ssl->ssl_config, &ssl_ctx->cert_profile); if (ssl_ctx->allowed_ciphers) { - mbedtls_ssl_conf_ciphersuites(&ks_ssl->ssl_config, ssl_ctx->allowed_ciphers); + mbedtls_ssl_conf_ciphersuites(ks_ssl->ssl_config, ssl_ctx->allowed_ciphers); } /* Disable record splitting (for now). OpenVPN assumes records are sent @@ -1058,35 +1059,35 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, * testing. Since OpenVPN is not susceptible to BEAST, we can just * disable record splitting as a quick fix. */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - mbedtls_ssl_conf_cbc_record_splitting(&ks_ssl->ssl_config, + mbedtls_ssl_conf_cbc_record_splitting(ks_ssl->ssl_config, MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED); #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ /* Initialise authentication information */ if (is_server) { - mbed_ok(mbedtls_ssl_conf_dh_param_ctx(&ks_ssl->ssl_config, + mbed_ok(mbedtls_ssl_conf_dh_param_ctx(ks_ssl->ssl_config, ssl_ctx->dhm_ctx)); } - mbed_ok(mbedtls_ssl_conf_own_cert(&ks_ssl->ssl_config, ssl_ctx->crt_chain, + mbed_ok(mbedtls_ssl_conf_own_cert(ks_ssl->ssl_config, ssl_ctx->crt_chain, ssl_ctx->priv_key)); /* Initialise SSL verification */ #if P2MP_SERVER if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) { - mbedtls_ssl_conf_authmode(&ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_OPTIONAL); + mbedtls_ssl_conf_authmode(ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_OPTIONAL); } else if (!(session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)) #endif { - mbedtls_ssl_conf_authmode(&ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_REQUIRED); + mbedtls_ssl_conf_authmode(ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_REQUIRED); } - mbedtls_ssl_conf_verify(&ks_ssl->ssl_config, verify_callback, session); + mbedtls_ssl_conf_verify(ks_ssl->ssl_config, verify_callback, session); /* TODO: mbed TLS does not currently support sending the CA chain to the client */ - mbedtls_ssl_conf_ca_chain(&ks_ssl->ssl_config, ssl_ctx->ca_chain, ssl_ctx->crl); + mbedtls_ssl_conf_ca_chain(ks_ssl->ssl_config, ssl_ctx->ca_chain, ssl_ctx->crl); /* Initialize minimum TLS version */ { @@ -1103,7 +1104,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, tls_version_to_major_minor(tls_version_min, &major, &minor); } - mbedtls_ssl_conf_min_version(&ks_ssl->ssl_config, major, minor); + mbedtls_ssl_conf_min_version(ks_ssl->ssl_config, major, minor); } /* Initialize maximum TLS version */ @@ -1116,7 +1117,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, { int major, minor; tls_version_to_major_minor(tls_version_max, &major, &minor); - mbedtls_ssl_conf_max_version(&ks_ssl->ssl_config, major, minor); + mbedtls_ssl_conf_max_version(ks_ssl->ssl_config, major, minor); } } @@ -1124,7 +1125,7 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, /* Initialize keying material exporter */ if (session->opt->ekm_size) { - mbedtls_ssl_conf_export_keys_ext_cb(&ks_ssl->ssl_config, + mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config, mbedtls_ssl_export_keys_cb, session); } #endif @@ -1132,11 +1133,11 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, /* Initialise SSL context */ ALLOC_OBJ_CLEAR(ks_ssl->ctx, mbedtls_ssl_context); mbedtls_ssl_init(ks_ssl->ctx); - mbedtls_ssl_setup(ks_ssl->ctx, &ks_ssl->ssl_config); + mbedtls_ssl_setup(ks_ssl->ctx, ks_ssl->ssl_config); /* Initialise BIOs */ - CLEAR(ks_ssl->bio_ctx); - mbedtls_ssl_set_bio(ks_ssl->ctx, &ks_ssl->bio_ctx, ssl_bio_write, + ALLOC_OBJ_CLEAR(ks_ssl->bio_ctx, bio_ctx); + mbedtls_ssl_set_bio(ks_ssl->ctx, ks_ssl->bio_ctx, ssl_bio_write, ssl_bio_read, NULL); } @@ -1152,9 +1153,17 @@ key_state_ssl_free(struct key_state_ssl *ks_ssl) mbedtls_ssl_free(ks_ssl->ctx); free(ks_ssl->ctx); } - mbedtls_ssl_config_free(&ks_ssl->ssl_config); - buf_free_entries(&ks_ssl->bio_ctx.in); - buf_free_entries(&ks_ssl->bio_ctx.out); + if (ks_ssl->ssl_config) + { + mbedtls_ssl_config_free(ks_ssl->ssl_config); + free(ks_ssl->ssl_config); + } + if (ks_ssl->bio_ctx) + { + buf_free_entries(&ks_ssl->bio_ctx->in); + buf_free_entries(&ks_ssl->bio_ctx->out); + free(ks_ssl->bio_ctx); + } CLEAR(*ks_ssl); } } @@ -1249,7 +1258,7 @@ key_state_read_ciphertext(struct key_state_ssl *ks, struct buffer *buf, len = maxlen; } - retval = endless_buf_read(&ks->bio_ctx.out, BPTR(buf), len); + retval = endless_buf_read(&ks->bio_ctx->out, BPTR(buf), len); /* Error during read, check for retry error */ if (retval < 0) @@ -1294,7 +1303,7 @@ key_state_write_ciphertext(struct key_state_ssl *ks, struct buffer *buf) return 0; } - retval = endless_buf_write(&ks->bio_ctx.in, BPTR(buf), buf->len); + retval = endless_buf_write(&ks->bio_ctx->in, BPTR(buf), buf->len); if (retval < 0) { diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index c1c676dc..92381f1a 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -109,9 +109,9 @@ struct tls_root_ctx { }; struct key_state_ssl { - mbedtls_ssl_config ssl_config; /**< mbedTLS global ssl config */ + mbedtls_ssl_config *ssl_config; /**< mbedTLS global ssl config */ mbedtls_ssl_context *ctx; /**< mbedTLS connection context */ - bio_ctx bio_ctx; + bio_ctx *bio_ctx; /** Keying material exporter cache (RFC 5705). */ uint8_t *exported_key_material;