From patchwork Fri Oct 23 01:02:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1524 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.27.255.57]) by backend41.mail.ord1d.rsapps.net with LMTP id EK9HIb7Gkl9gTgAAqwncew (envelope-from ) for ; Fri, 23 Oct 2020 08:04:14 -0400 Received: from proxy9.mail.iad3a.rsapps.net ([172.27.255.57]) by director10.mail.ord1d.rsapps.net with LMTP id gHQrIb7Gkl/2LgAApN4f7A (envelope-from ) for ; Fri, 23 Oct 2020 08:04:14 -0400 Received: from smtp23.gate.iad3a ([172.27.255.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.iad3a.rsapps.net with LMTPS id eKrxGL7Gkl9qcwAAGuSQww (envelope-from ) for ; Fri, 23 Oct 2020 08:04:14 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: ddca7a36-1527-11eb-b3d1-52540033eb40-1-1 Received: from [216.105.38.7] ([216.105.38.7:45298] helo=lists.sourceforge.net) by smtp23.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D9/2D-31091-DB6C29F5; Fri, 23 Oct 2020 08:04:14 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kVvn5-000153-0c; Fri, 23 Oct 2020 12:03:27 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kVvms-000149-2w for openvpn-devel@lists.sourceforge.net; Fri, 23 Oct 2020 12:03:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ozqTSFqixIt4ior+sdz1i2EkIvUz6gI9sVsFUD6HsDo=; b=lSt5rVlOVua1GdfpbPX9ttzGwq YkzxJNf4Esm/eVqFFvZHZrUCgPBYiY35We3RkBlTtAwnXzOlLrdsK1SyTI3dErktCrPCxWPU4YF/+ aG3b3/AK4OsOBBqTs1VvfH9UK7EYoFdFHZrhX0BXq0Wr9w8tXVTbOHlMRgWB/ksNaBfA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ozqTSFqixIt4ior+sdz1i2EkIvUz6gI9sVsFUD6HsDo=; b=bXxNypFWAExXX9j0s0OOtUuZFe +3kS+wavGERBr9nGY3TI/Gjbzpw6JLSiky5aW/VavbqNXQTk0nr+4gs8CwlGUdKhM9Neac4zIhGVp oNAO+EsfbazQ6NiYJL3voHGhl3xSPXZ21gXuASMhBYsO8H5vqZiwRLasXtUp0MuMbwuY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1kVvmm-003qin-J7 for openvpn-devel@lists.sourceforge.net; Fri, 23 Oct 2020 12:03:13 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kVvme-000JFx-1k for openvpn-devel@lists.sourceforge.net; Fri, 23 Oct 2020 14:03:00 +0200 Received: (nullmailer pid 29841 invoked by uid 10006); Fri, 23 Oct 2020 12:02:59 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 23 Oct 2020 14:02:57 +0200 Message-Id: <20201023120259.29783-5-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201023120259.29783-1-arne@rfc2549.org> References: <20201023113244.26295-1-arne@rfc2549.org> <20201023120259.29783-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1kVvmm-003qin-J7 Subject: [Openvpn-devel] [PATCH 6/8] Rename DECRYPT_KEY_ENABLED to TLS_AUTHENTICATED X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The macro's name suggests that the key is enabled and being used. But the macro actually something different but similar enough that the name was probably right at some point. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/ssl.c | 6 +++--- src/openvpn/ssl_verify.c | 2 +- src/openvpn/ssl_verify.h | 13 ++++++++++--- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e59dba31..e4f43a86 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3216,7 +3216,7 @@ tls_multi_process(struct tls_multi *multi, * verification failed. A semi-trusted session can forward data on the * TLS control channel but not on the tunnel channel. */ - if (DECRYPT_KEY_ENABLED(multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY])) + if (TLS_AUTHENTICATED(multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY])) { move_session(multi, TM_ACTIVE, TM_UNTRUSTED, true); msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted", @@ -3301,7 +3301,7 @@ handle_data_channel_packet(struct tls_multi *multi, * passive side is the server which only listens for the connections, the * active side is the client which initiates connections). */ - if (DECRYPT_KEY_ENABLED(multi, ks) + if (TLS_AUTHENTICATED(multi, ks) && key_id == ks->key_id && (ks->authenticated == KS_AUTH_TRUE) && (floated || link_socket_actual_match(from, &ks->remote_addr))) @@ -3628,7 +3628,7 @@ tls_pre_decrypt(struct tls_multi *multi, * Remote is requesting a key renegotiation */ if (op == P_CONTROL_SOFT_RESET_V1 - && DECRYPT_KEY_ENABLED(multi, ks)) + && TLS_AUTHENTICATED(multi, ks)) { if (!read_control_auth(buf, &session->tls_wrap, from, session->opt)) diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 4172e2fd..98985c51 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -948,7 +948,7 @@ tls_authentication_status(struct tls_multi *multi, const int latency) for (int i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = get_key_scan(multi, i); - if (DECRYPT_KEY_ENABLED(multi, ks)) + if (TLS_AUTHENTICATED(multi, ks)) { active++; if (ks->authenticated > KS_AUTH_FALSE) diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index b3fe25d2..7e8b9710 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -95,15 +95,22 @@ enum tls_auth_status enum tls_auth_status tls_authentication_status(struct tls_multi *multi, const int latency); -/** Check whether the \a ks \c key_state is ready to receive data channel - * packets. +/** Check whether the \a ks \c key_state has finished the key exchange part + * of the OpenVPN hand shake. This is that the key_method_2read/write + * handshakes have been completed and certificate verification have + * been completed. + * + * connect/deferred auth might still pending. Also data-channel keys might + * not have been created since they are delayed until PUSH_REPLY for NCP + * clients. + * * @ingroup data_crypto * * If true, it is safe to assume that this session has been authenticated * by TLS. * * @note This macro only works if S_SENT_KEY + 1 == S_GOT_KEY. */ -#define DECRYPT_KEY_ENABLED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server)) +#define TLS_AUTHENTICATED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server)) /** * Remove the given key state's auth control file, if it exists.