From patchwork Fri Feb 26 00:10:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1601 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.27.255.9]) by backend30.mail.ord1d.rsapps.net with LMTP id ePjpLHLXOGCvMQAAIUCqbw (envelope-from ) for ; Fri, 26 Feb 2021 06:11:46 -0500 Received: from proxy1.mail.iad3a.rsapps.net ([172.27.255.9]) by director13.mail.ord1d.rsapps.net with LMTP id 4CuuLHLXOGBifQAA91zNiA (envelope-from ) for ; Fri, 26 Feb 2021 06:11:46 -0500 Received: from smtp16.gate.iad3a ([172.27.255.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.iad3a.rsapps.net with LMTPS id gG4IJ3LXOGC3dQAA8TVjwQ (envelope-from ) for ; Fri, 26 Feb 2021 06:11:46 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp16.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 6984bdd0-7823-11eb-b746-5254004ee196-1-1 Received: from [216.105.38.7] ([216.105.38.7:51760] helo=lists.sourceforge.net) by smtp16.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E3/34-07165-177D8306; Fri, 26 Feb 2021 06:11:46 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lFb19-0006lG-B4; Fri, 26 Feb 2021 11:10:43 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lFb13-0006kx-DC for openvpn-devel@lists.sourceforge.net; Fri, 26 Feb 2021 11:10:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=hKLeW1nN+Iocax3Q/JEhAslWeIyHyUgBEb8EUfEb1dg=; b=H+gJTJE9P0RQqzSsE7pfM0ILdb w6hbZ5ulqgRsZTk8pWCatwzIN3fgCgEvWuop1gp5QEm1zsVIyJdmk9NqnTGmUE4iItKl8/Lzoc4Uu 0+A9Blp/e5UV3lhhFx7UnhaW05JW1x3Ps8r9RqHBNa8thhgIHO4z0Yg9oQogv9WEYbZ4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=hKLeW1nN+Iocax3Q/JEhAslWeIyHyUgBEb8EUfEb1dg=; b=E/LKsHOXctR2Lr0yM5EeRW0GWa OPRAXBXIw7onmVP/iLM7NFuK2mN+z4/qcVY6EPmsvZ6U5pxKYNKTKdeiP1QD1vqUrIFZFla1pxK0Z ayconHC/mgKuEJDffJSEGkef0D/EnkqKjdqbyfI1trYe4V211Q5VP9v8W0qGvv3NtT+Q=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lFb0q-0000yD-Mm for openvpn-devel@lists.sourceforge.net; Fri, 26 Feb 2021 11:10:33 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lFb0f-0003vJ-1n for openvpn-devel@lists.sourceforge.net; Fri, 26 Feb 2021 12:10:13 +0100 Received: (nullmailer pid 21315 invoked by uid 10006); Fri, 26 Feb 2021 11:10:12 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 26 Feb 2021 12:10:12 +0100 Message-Id: <20210226111012.21269-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210214201012.GZ976@greenie.muc.de> References: <20210214201012.GZ976@greenie.muc.de> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: makefile.am] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lFb0q-0000yD-Mm Subject: [Openvpn-devel] [PATCH v3] Refactor extract_var_peer_info into standalone function and add ssl_util.c X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Our "natural" place for this function would be ssl.c but ssl.c has a lot of dependencies on all kinds of other compilation units so including ssl.c into unit tests is near impossible currently. Instead create a new file ssl_util.c that holds small utility functions like this one. Patch v2: add newline add the end of sll_util.h and ssl_util.c Patch v3: Refactor/clean up the function even more as suggested by Gert. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/Makefile.am | 1 + src/openvpn/openvpn.vcxproj | 2 + src/openvpn/openvpn.vcxproj.filters | 6 +++ src/openvpn/ssl.c | 2 +- src/openvpn/ssl_ncp.c | 20 ++------- src/openvpn/ssl_util.c | 61 ++++++++++++++++++++++++++++ src/openvpn/ssl_util.h | 49 ++++++++++++++++++++++ src/openvpn/ssl_verify.c | 1 + tests/unit_tests/openvpn/Makefile.am | 3 +- 9 files changed, 127 insertions(+), 18 deletions(-) create mode 100644 src/openvpn/ssl_util.c create mode 100644 src/openvpn/ssl_util.h diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 37b002c6..ec84929b 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -119,6 +119,7 @@ openvpn_SOURCES = \ ssl_openssl.c ssl_openssl.h \ ssl_mbedtls.c ssl_mbedtls.h \ ssl_ncp.c ssl_ncp.h \ + ssl_util.c ssl_util.h \ ssl_common.h \ ssl_verify.c ssl_verify.h ssl_verify_backend.h \ ssl_verify_openssl.c ssl_verify_openssl.h \ diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj index 3863854b..cf31940c 100644 --- a/src/openvpn/openvpn.vcxproj +++ b/src/openvpn/openvpn.vcxproj @@ -212,6 +212,7 @@ + @@ -300,6 +301,7 @@ + diff --git a/src/openvpn/openvpn.vcxproj.filters b/src/openvpn/openvpn.vcxproj.filters index cf5748c7..e8aed2c5 100644 --- a/src/openvpn/openvpn.vcxproj.filters +++ b/src/openvpn/openvpn.vcxproj.filters @@ -243,6 +243,9 @@ Source Files + + Source Files + @@ -509,6 +512,9 @@ Header Files + + Header Files + diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 1389322e..228a851c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -4089,4 +4089,4 @@ void ssl_clean_user_pass(void) { purge_user_pass(&auth_user_pass, false); -} +} \ No newline at end of file diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 45bddbe0..f02a3103 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -48,6 +48,7 @@ #include "common.h" #include "ssl_ncp.h" +#include "ssl_util.h" #include "openvpn.h" /** @@ -195,23 +196,10 @@ const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc) { /* Check if the peer sends the IV_CIPHERS list */ - const char *ncp_ciphers_start; - if (peer_info && (ncp_ciphers_start = strstr(peer_info, "IV_CIPHERS="))) + const char *iv_ciphers = extract_var_peer_info(peer_info,"IV_CIPHERS=", gc); + if (iv_ciphers) { - ncp_ciphers_start += strlen("IV_CIPHERS="); - const char *ncp_ciphers_end = strstr(ncp_ciphers_start, "\n"); - if (!ncp_ciphers_end) - { - /* IV_CIPHERS is at end of the peer_info list and no '\n' - * follows */ - ncp_ciphers_end = ncp_ciphers_start + strlen(ncp_ciphers_start); - } - - char *ncp_ciphers_peer = string_alloc(ncp_ciphers_start, gc); - /* NULL terminate the copy at the right position */ - ncp_ciphers_peer[ncp_ciphers_end - ncp_ciphers_start] = '\0'; - return ncp_ciphers_peer; - + return iv_ciphers; } else if (tls_peer_info_ncp_ver(peer_info)>=2) { diff --git a/src/openvpn/ssl_util.c b/src/openvpn/ssl_util.c new file mode 100644 index 00000000..a74e3b72 --- /dev/null +++ b/src/openvpn/ssl_util.c @@ -0,0 +1,61 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2020 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#include "ssl_util.h" + +char * +extract_var_peer_info(const char *peer_info, const char *var, + struct gc_arena *gc) +{ + if (!peer_info) + { + return NULL; + } + + const char *var_start = strstr(peer_info, var); + if (!var_start) + { + /* variable not found in peer info */ + return NULL; + } + + var_start += strlen(var); + const char *var_end = strstr(var_start, "\n"); + if (!var_end) + { + /* var is at end of the peer_info list and no '\n' follows */ + var_end = var_start + strlen(var_start); + } + + char *var_value = string_alloc(var_start, gc); + /* NULL terminate the copy at the right position */ + var_value[var_end - var_start] = '\0'; + return var_value; +} diff --git a/src/openvpn/ssl_util.h b/src/openvpn/ssl_util.h new file mode 100644 index 00000000..bc2ae30d --- /dev/null +++ b/src/openvpn/ssl_util.h @@ -0,0 +1,49 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2020 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/** + * @file SSL utility function. This file (and its .c file) is designed to + * to be included in units/etc without pulling in a lot of dependencies + */ + +#ifndef SSL_UTIL_H_ +#define SSL_UTIL_H_ + +#include "buffer.h" + +/** + * Extracts a variable from peer info, the returned string will be allocated + * using the supplied gc_arena + * + * @param peer_info The peer's peer_info + * @param var The variable *including* =, e.g. IV_CIPHERS= + * + * @return The content of the variable as NULL terminated string or NULL if the + * variable cannot be found. + */ +char * +extract_var_peer_info(const char *peer_info, + const char *var, + struct gc_arena *gc); + +#endif diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index e04c5c35..e0ef399f 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -46,6 +46,7 @@ #endif #include "auth_token.h" #include "push.h" +#include "ssl_util.h" /** Maximum length of common name */ #define TLS_USERNAME_LEN 64 diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index f0880a6b..50f3a02e 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -125,4 +125,5 @@ ncp_testdriver_SOURCES = test_ncp.c mock_msg.c \ $(openvpn_srcdir)/crypto_openssl.c \ $(openvpn_srcdir)/otime.c \ $(openvpn_srcdir)/packet_id.c \ - $(openvpn_srcdir)/platform.c + $(openvpn_srcdir)/platform.c \ + $(openvpn_srcdir)/ssl_util.c