From patchwork Fri Oct 23 01:02:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1527 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.27.255.9]) by backend41.mail.ord1d.rsapps.net with LMTP id yCwRJ8XGkl9gTgAAqwncew (envelope-from ) for ; Fri, 23 Oct 2020 08:04:21 -0400 Received: from proxy3.mail.iad3a.rsapps.net ([172.27.255.9]) by director11.mail.ord1d.rsapps.net with LMTP id KNLeJsXGkl8yKwAAvGGmqA (envelope-from ) for ; Fri, 23 Oct 2020 08:04:21 -0400 Received: from smtp9.gate.iad3a ([172.27.255.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.iad3a.rsapps.net with LMTPS id iF2NHsXGkl/hFgAAYaqY3Q (envelope-from ) for ; Fri, 23 Oct 2020 08:04:21 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e1e658a6-1527-11eb-aa36-52540097fc8c-1-1 Received: from [216.105.38.7] ([216.105.38.7:54150] helo=lists.sourceforge.net) by smtp9.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D8/76-18295-4C6C29F5; Fri, 23 Oct 2020 08:04:21 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kVvnB-0005jq-Hf; Fri, 23 Oct 2020 12:03:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kVvn4-0005hu-32 for openvpn-devel@lists.sourceforge.net; Fri, 23 Oct 2020 12:03:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=l0oUkEGlpodN3hDxP2nownxcLPxxCCYiUnFpaFg/vgw=; b=O8HRVPYiEpyf3GHnQs4HvqJVyE T29YCFb9afWPo/0WtSVbDI76SqdV82ovEEKbiZrxk/Kt+f5KHbtFn9lZyUteBKHxIIEGGgLOWX0Hd LCkFCD8Nd8S2MBSqvIg1r+Uqqvw8e1Rs72rS3G2QMrgTodkI3yY8TH5b/lHHpKq/bLO0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=l0oUkEGlpodN3hDxP2nownxcLPxxCCYiUnFpaFg/vgw=; b=YgBqPu1g+n9n/y+DdX/vGBoHVo P4RzKRI/R8vJsHVUOIiOZdroyOUvaktvI7Ne3fFYo/Ofu5PTGpQS3CZVQth2YD2Ti/usbB9gELJhb BwY/Tp5RsbdcOCL+1TDkv1Nupt94FmRH/R+OXFi90OTMBxTCw0/xfVTuVgX2kororhgc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1kVvmn-003qit-Ab for openvpn-devel@lists.sourceforge.net; Fri, 23 Oct 2020 12:03:22 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kVvmd-000JFl-Jo for openvpn-devel@lists.sourceforge.net; Fri, 23 Oct 2020 14:02:59 +0200 Received: (nullmailer pid 29828 invoked by uid 10006); Fri, 23 Oct 2020 12:02:59 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 23 Oct 2020 14:02:53 +0200 Message-Id: <20201023120259.29783-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201023113244.26295-1-arne@rfc2549.org> References: <20201023113244.26295-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1kVvmn-003qit-Ab Subject: [Openvpn-devel] [PATCH 2/8] Replace key_scan array of static points with inline function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The key_scan array is an array that is setup as a reference to members of itself that have static offsets. Replace this pointer indirection with an inline function. This has also the advantage that the compiler can inline the function and just just a direct offset into the struct. Replacing the implicit indirection with the pointer array with an explicit indirection with the inline function also makes the code a bit easier to follow. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/ssl.c | 20 +++++++------------- src/openvpn/ssl_common.h | 26 +++++++++++++++++++++----- src/openvpn/ssl_verify.c | 4 ++-- 3 files changed, 30 insertions(+), 20 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index fb1edd6e..618cc9cc 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -832,7 +832,7 @@ print_key_id(struct tls_multi *multi, struct gc_arena *gc) for (int i = 0; i < KEY_SCAN_SIZE; ++i) { - struct key_state *ks = multi->key_scan[i]; + struct key_state *ks = get_key_scan(multi, i); buf_printf(&out, " [key#%d state=%s id=%d sid=%s]", i, state_name(ks->state), ks->key_id, session_id_print(&ks->session_id_remote, gc)); @@ -1229,12 +1229,6 @@ tls_multi_init(struct tls_options *tls_options) /* get command line derived options */ ret->opt = *tls_options; - /* set up list of keys to be scanned by data channel encrypt and decrypt routines */ - ASSERT(SIZE(ret->key_scan) == 3); - ret->key_scan[0] = &ret->session[TM_ACTIVE].key[KS_PRIMARY]; - ret->key_scan[1] = &ret->session[TM_ACTIVE].key[KS_LAME_DUCK]; - ret->key_scan[2] = &ret->session[TM_LAME_DUCK].key[KS_LAME_DUCK]; - /* By default not use P_DATA_V2 */ ret->use_peer_id = false; @@ -3212,9 +3206,9 @@ tls_multi_process(struct tls_multi *multi, */ if (error) { - for (int i = 0; i < (int) SIZE(multi->key_scan); ++i) + for (int i = 0; i < KEY_SCAN_SIZE; ++i) { - if (multi->key_scan[i]->state >= S_ACTIVE) + if (get_key_scan(multi, i)->state >= S_ACTIVE) { goto nohard; } @@ -3229,9 +3223,9 @@ nohard: const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin); if (throw_level) { - for (int i = 0; i < (int) SIZE(multi->key_scan); ++i) + for (int i = 0; i < KEY_SCAN_SIZE; ++i) { - if (multi->key_scan[i]->state >= throw_level) + if (get_key_scan(multi, i)->state >= throw_level) { ++multi->n_hard_errors; ++multi->n_soft_errors; @@ -3269,7 +3263,7 @@ handle_data_channel_packet(struct tls_multi *multi, /* data channel packet */ for (int i = 0; i < KEY_SCAN_SIZE; ++i) { - struct key_state *ks = multi->key_scan[i]; + struct key_state *ks = get_key_scan(multi, i); /* * This is the basic test of TLS state compatibility between a local OpenVPN @@ -3878,7 +3872,7 @@ tls_pre_encrypt(struct tls_multi *multi, struct key_state *ks_select = NULL; for (int i = 0; i < KEY_SCAN_SIZE; ++i) { - struct key_state *ks = multi->key_scan[i]; + struct key_state *ks = get_key_scan(multi, i); if (ks->state >= S_ACTIVE && (ks->authenticated == KS_AUTH_TRUE) && ks->crypto_options.key_ctx_bi.initialized diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 810aba95..c07c58ac 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -501,11 +501,6 @@ struct tls_multi /* const options and config info */ struct tls_options opt; - struct key_state *key_scan[KEY_SCAN_SIZE]; - /**< List of \c key_state objects in the - * order they should be scanned by data - * channel modules. */ - /* * used by tls_pre_encrypt to communicate the encrypt key * to tls_post_encrypt() @@ -585,4 +580,25 @@ struct tls_multi * sessions with the remote peer. */ }; +/** gets an item of \c key_state objects in the + * order they should be scanned by data + * channel modules. */ +static inline struct key_state * +get_key_scan(struct tls_multi *multi, int index) +{ + switch (index) + { + case 0: + return &multi->session[TM_ACTIVE].key[KS_PRIMARY]; + case 1: + return &multi->session[TM_ACTIVE].key[KS_LAME_DUCK]; + case 2: + return &multi->session[TM_LAME_DUCK].key[KS_LAME_DUCK]; + default: + ASSERT(false); + } + +}; + + #endif /* SSL_COMMON_H_ */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index acc788fc..862a6f56 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -972,7 +972,7 @@ tls_authentication_status(struct tls_multi *multi, const int latency) for (i = 0; i < KEY_SCAN_SIZE; ++i) { - struct key_state *ks = multi->key_scan[i]; + struct key_state *ks = get_key_scan(multi, i); if (DECRYPT_KEY_ENABLED(multi, ks)) { active = true; @@ -1045,7 +1045,7 @@ tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, con auth_set_client_reason(multi, client_reason); for (i = 0; i < KEY_SCAN_SIZE; ++i) { - struct key_state *ks = multi->key_scan[i]; + struct key_state *ks = get_key_scan(multi, i); if (ks->mda_key_id == mda_key_id) { ks->mda_status = auth ? ACF_SUCCEEDED : ACF_FAILED;