From patchwork Wed Sep 30 03:13:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1488 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id UKo6ObuEdF+0BwAAIUCqbw (envelope-from ) for ; Wed, 30 Sep 2020 09:14:35 -0400 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id aMUgObuEdF8BHQAApN4f7A (envelope-from ) for ; Wed, 30 Sep 2020 09:14:35 -0400 Received: from smtp35.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTPS id kJnFOLuEdF8qIwAAtEH5vw (envelope-from ) for ; Wed, 30 Sep 2020 09:14:35 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e2510644-031e-11eb-b8b9-5452002f485d-1-1 Received: from [216.105.38.7] ([216.105.38.7:55094] helo=lists.sourceforge.net) by smtp35.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4B/DC-08663-BB4847F5; Wed, 30 Sep 2020 09:14:35 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kNbvY-0003TY-DS; Wed, 30 Sep 2020 13:13:48 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kNbvS-0003Sx-PP for openvpn-devel@lists.sourceforge.net; Wed, 30 Sep 2020 13:13:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=52azGsfVYwRRwK19+qcWDx8svjekIu17hCDo2HJqq/M=; b=TJCOiy1iaRPx5K2x9wopltvO29 LBCiuZT05p+vCkCafRfSm+WgdZISxgKnTMoLGAf0OqhGMMsF3EAEUpSB+zd0Ykr7yRfXGfu9H7YBW J0aSLabA4onyy3J20jHG/umOqp77xYOw4IoioIfZoUr63gHUox1yKQToDupYET6Gb7Ik=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=52azGsfVYwRRwK19+qcWDx8svjekIu17hCDo2HJqq/M=; b=V/YPupKtWHU7nArrYk38baXqXo LJfNNPIzP0/sBacFVrvaAgS0NC7bNsSyTEZ1hZvGnZZH3dp599dYJI4CLAM0S8d5giuyT6IVGRSav XpKLC81kWtyvbxPy4Zt/bs7BSZtuHpOryuVUkgZt3MzG2nCmyfrmQMw9NVsI0L6+sK8I=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1kNbvL-00EONl-F3 for openvpn-devel@lists.sourceforge.net; Wed, 30 Sep 2020 13:13:42 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kNbv4-0003o6-NP for openvpn-devel@lists.sourceforge.net; Wed, 30 Sep 2020 15:13:18 +0200 Received: (nullmailer pid 1373 invoked by uid 10006); Wed, 30 Sep 2020 13:13:18 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 30 Sep 2020 15:13:13 +0200 Message-Id: <20200930131317.1299-9-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200930131317.1299-1-arne@rfc2549.org> References: <20200930131317.1299-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1kNbvL-00EONl-F3 Subject: [Openvpn-devel] [PATCH 07/11] Refactor extract_var_peer_info into standalone function and add ssl_util.c X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Our "natural" place for this function would be ssl.c but ssl.c has a lot of dependencies on all kinds of other compilation units so including ssl.c into unit tests is near impossible currently. Instead create a new file ssl_util.c that holds small utility functions like this one. Signed-off-by: Arne Schwabe Acked-by: Lev Stipakov --- src/openvpn/Makefile.am | 1 + src/openvpn/openvpn.vcxproj | 2 + src/openvpn/openvpn.vcxproj.filters | 6 +++ src/openvpn/ssl.c | 2 +- src/openvpn/ssl_ncp.c | 20 ++-------- src/openvpn/ssl_util.c | 59 ++++++++++++++++++++++++++++ src/openvpn/ssl_util.h | 49 +++++++++++++++++++++++ src/openvpn/ssl_verify.c | 1 + tests/unit_tests/openvpn/Makefile.am | 3 +- 9 files changed, 125 insertions(+), 18 deletions(-) create mode 100644 src/openvpn/ssl_util.c create mode 100644 src/openvpn/ssl_util.h diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 37b002c6..ec84929b 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -119,6 +119,7 @@ openvpn_SOURCES = \ ssl_openssl.c ssl_openssl.h \ ssl_mbedtls.c ssl_mbedtls.h \ ssl_ncp.c ssl_ncp.h \ + ssl_util.c ssl_util.h \ ssl_common.h \ ssl_verify.c ssl_verify.h ssl_verify_backend.h \ ssl_verify_openssl.c ssl_verify_openssl.h \ diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 3863854b..cf31940c 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -212,6 +212,7 @@ + @@ -300,6 +301,7 @@ + diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters index cf5748c7..e8aed2c5 100644 --- a/src/openvpn/openvpn.vcxproj.filters +++ b/src/openvpn/openvpn.vcxproj.filters @@ -243,6 +243,9 @@ Source Files + + Source Files + @@ -509,6 +512,9 @@ Header Files + + Header Files + diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index f0664a0f..a125afa2 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -4138,4 +4138,4 @@ delayed_auth_pass_purge(void) { auth_user_pass.wait_for_push = false; purge_user_pass(&auth_user_pass, false); -} +} \ No newline at end of file diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 55496395..f4d755af 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -48,6 +48,7 @@ #include "common.h" #include "ssl_ncp.h" +#include "ssl_util.h" #include "openvpn.h" /** @@ -181,23 +182,10 @@ const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc) { /* Check if the peer sends the IV_CIPHERS list */ - const char *ncp_ciphers_start; - if (peer_info && (ncp_ciphers_start = strstr(peer_info, "IV_CIPHERS="))) + const char *iv_ciphers = extract_var_peer_info(peer_info,"IV_CIPHERS=", gc); + if (iv_ciphers) { - ncp_ciphers_start += strlen("IV_CIPHERS="); - const char *ncp_ciphers_end = strstr(ncp_ciphers_start, "\n"); - if (!ncp_ciphers_end) - { - /* IV_CIPHERS is at end of the peer_info list and no '\n' - * follows */ - ncp_ciphers_end = ncp_ciphers_start + strlen(ncp_ciphers_start); - } - - char *ncp_ciphers_peer = string_alloc(ncp_ciphers_start, gc); - /* NULL terminate the copy at the right position */ - ncp_ciphers_peer[ncp_ciphers_end - ncp_ciphers_start] = '\0'; - return ncp_ciphers_peer; - + return iv_ciphers; } else if (tls_peer_info_ncp_ver(peer_info)>=2) { diff --git a/src/openvpn/ssl_util.c b/src/openvpn/ssl_util.c new file mode 100644 index 00000000..90ec97f7 --- /dev/null +++ b/src/openvpn/ssl_util.c @@ -0,0 +1,59 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2020 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#include "ssl_util.h" + +char * +extract_var_peer_info(const char *peer_info, const char *var, + struct gc_arena *gc) +{ + const char *var_start; + + if (peer_info && (var_start = strstr(peer_info, var))) + { + var_start += strlen(var); + const char *var_end = strstr(var_start, "\n"); + if (!var_end) + { + /* var is at end of the peer_info list and no '\n' + * follows */ + var_end = var_start + strlen(var_start); + } + + char *ncp_ciphers_peer = string_alloc(var_start, gc); + /* NULL terminate the copy at the right position */ + ncp_ciphers_peer[var_end - var_start] = '\0'; + return ncp_ciphers_peer; + } + else + { + return NULL; + } +} \ No newline at end of file diff --git a/src/openvpn/ssl_util.h b/src/openvpn/ssl_util.h new file mode 100644 index 00000000..21bded6b --- /dev/null +++ b/src/openvpn/ssl_util.h @@ -0,0 +1,49 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2020 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/** + * @file SSL utility function. This file (and its .c file) is designed to + * to be included in units/etc without pulling in a lot of dependencies + */ + +#ifndef SSL_UTIL_H_ +#define SSL_UTIL_H_ + +#include "buffer.h" + +/** + * Extracts a variable from peer info, the returned string will be allocated + * using the supplied gc_arena + * + * @param peer_info The peer's peer_info + * @param var The variable *including* =, e.g. IV_CIPHERS= + * + * @return The content of the variable as NULL terminated string or NULL if the + * variable cannot be found. + */ +char * +extract_var_peer_info(const char *peer_info, + const char *var, + struct gc_arena *gc); + +#endif \ No newline at end of file diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 97ccb93b..e7e62afa 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -46,6 +46,7 @@ #endif #include "auth_token.h" #include "push.h" +#include "ssl_util.h" /** Maximum length of common name */ #define TLS_USERNAME_LEN 64 diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index f0880a6b..50f3a02e 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -125,4 +125,5 @@ ncp_testdriver_SOURCES = test_ncp.c mock_msg.c \ $(openvpn_srcdir)/crypto_openssl.c \ $(openvpn_srcdir)/otime.c \ $(openvpn_srcdir)/packet_id.c \ - $(openvpn_srcdir)/platform.c + $(openvpn_srcdir)/platform.c \ + $(openvpn_srcdir)/ssl_util.c