From patchwork Thu Feb 17 03:23:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2298 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.27.255.8]) by backend41.mail.ord1d.rsapps.net with LMTP id JO5sL3haDmImYQAAqwncew (envelope-from ) for ; Thu, 17 Feb 2022 09:23:52 -0500 Received: from proxy17.mail.iad3a.rsapps.net ([172.27.255.8]) by director14.mail.ord1d.rsapps.net with LMTP id SF2AB3laDmLPSQAAeJ7fFg (envelope-from ) for ; Thu, 17 Feb 2022 09:23:53 -0500 Received: from smtp2.gate.iad3a ([172.27.255.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.iad3a.rsapps.net with LMTPS id mEDTMHlaDmLBVQAAR4KW9A (envelope-from ) for ; Thu, 17 Feb 2022 09:23:53 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp2.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 3aed68a8-8ffd-11ec-bc70-525400de56ae-1-1 Received: from [216.105.38.7] ([216.105.38.7:56684] helo=lists.sourceforge.net) by smtp2.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 14/E9-02507-87A5E026; Thu, 17 Feb 2022 09:23:52 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nKhgU-0007E4-N5; Thu, 17 Feb 2022 14:23:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nKhgT-0007Ds-R7 for openvpn-devel@lists.sourceforge.net; Thu, 17 Feb 2022 14:23:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iq0EcL33hn2FMF5wD2Xz0lKTEqkCr3nnS9QTPdSw0G8=; b=Q+p+D4/1d46QWtiHxJXGoNjzuw EB0OEgAj0JXmIof2wLIOkL/nXTxuKoi79wS1c2qzhHXGQCU2Lslb//XIuP7yI1t/v7aIv8x+RXk9q DRYGPfqNJXuN7epswxd+Mf4nDwK2SI0pJgV9LGzMwYRcUpE8NEJi5SrJ/XF2wth/c3s8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=iq0EcL33hn2FMF5wD2Xz0lKTEqkCr3nnS9QTPdSw0G8=; b=Z gGVKfAzWKrttJ2I2ywig8evCcXoZI9MHy8vAvNF5UxH6nfRiUvFFPu/gQFnvWpmpU+QbRObqT4HMD iA7IYT0RNGFJ7us57jKLLW0A0FkCyKO/kEiT5+zNdhxmmE6wwdSPP3LElLJOSZz3TlRuGC6K0fTeZ RIv1hzvCPjqrjyrY=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nKhgO-004qSx-QB for openvpn-devel@lists.sourceforge.net; Thu, 17 Feb 2022 14:23:00 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Thu, 17 Feb 2022 15:23:06 +0100 Message-Id: <20220217142306.8108-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: At the moment we have tls_crypt_kt() and auth_token_kt that basically do the same thing, but with different algorithms used to inizialise the structure. In order to avoid code duplication and copy/paste errors, unify code and make it parametric, so that it can be re-used in various places. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nKhgO-004qSx-QB Subject: [Openvpn-devel] [PATCH] crypto: unify key_type creation code X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox At the moment we have tls_crypt_kt() and auth_token_kt that basically do the same thing, but with different algorithms used to inizialise the structure. In order to avoid code duplication and copy/paste errors, unify code and make it parametric, so that it can be re-used in various places. Signed-off-by: Antonio Quartulli --- src/openvpn/auth_token.c | 20 +------------------- src/openvpn/crypto.h | 31 +++++++++++++++++++++++++++++++ src/openvpn/tls_crypt.c | 27 +++------------------------ 3 files changed, 35 insertions(+), 43 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 10c9dde6..6aae73c9 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -30,24 +30,6 @@ const char *auth_token_pem_name = "OpenVPN auth-token server key"; /* Size of the data of the token (not b64 encoded and without prefix) */ #define TOKEN_DATA_LEN (2 * sizeof(int64_t) + AUTH_TOKEN_SESSION_ID_LEN + 32) -static struct key_type -auth_token_kt(void) -{ - struct key_type kt = { 0 }; - /* We do not encrypt our session tokens */ - kt.cipher = "none"; - kt.digest = "SHA256"; - - if (!md_valid(kt.digest)) - { - msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); - return (struct key_type) { 0 }; - } - - return kt; -} - - void add_session_token_env(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up) @@ -138,7 +120,7 @@ void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline) { - struct key_type kt = auth_token_kt(); + struct key_type kt = create_kt("none", "SHA256", "auth-gen-token"); struct buffer server_secret_key = alloc_buf(2048); diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 6e505517..734b696c 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -547,4 +547,35 @@ key_ctx_bi_defined(const struct key_ctx_bi *key) */ const char *print_key_filename(const char *str, bool is_inline); +/** + * Creates and validates an instance of struct key_type with the provided + * algs. + * + * @param cipher the cipher algorithm to use (must be a string literal) + * @param md the digest algorithm to use (must be a string literal) + * + * @return the initialized key_type instance + */ +static inline struct key_type +create_kt(const char *cipher, const char *md, const char *optname) +{ + struct key_type kt; + kt.cipher = cipher; + kt.digest = md; + + if (cipher_defined(kt.cipher) && !cipher_valid(kt.cipher)) + { + msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.cipher); + return (struct key_type) { 0 }; + } + if (md_defined(kt.digest) && !md_valid(kt.digest)) + { + msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.digest); + return (struct key_type) { 0 }; + } + + return kt; +} + + #endif /* CRYPTO_H */ diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index aae2a917..99e85010 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -47,27 +47,6 @@ static const uint8_t TLS_CRYPT_METADATA_TYPE_USER = 0x00; /** Metadata contains a 64-bit unix timestamp in network byte order */ static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP = 0x01; -static struct key_type -tls_crypt_kt(void) -{ - struct key_type kt; - kt.cipher = "AES-256-CTR"; - kt.digest = "SHA256"; - - if (!cipher_valid(kt.cipher)) - { - msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support."); - return (struct key_type) { 0 }; - } - if (!md_valid(kt.digest)) - { - msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); - return (struct key_type) { 0 }; - } - - return kt; -} - int tls_crypt_buf_overhead(void) { @@ -80,7 +59,7 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, { const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; - struct key_type kt = tls_crypt_kt(); + struct key_type kt = create_kt("AES-256-CTR", "SHA256", "tls-crypt"); if (!kt.cipher || !kt.digest) { msg(M_FATAL, "ERROR: --tls-crypt not supported"); @@ -271,7 +250,7 @@ tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2, { const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; - struct key_type kt = tls_crypt_kt(); + struct key_type kt = create_kt("AES-256-CTR", "SHA256", "tls-crypt"); if (!kt.cipher || !kt.digest) { msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported"); @@ -319,7 +298,7 @@ tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, msg(M_FATAL, "ERROR: invalid tls-crypt-v2 server key format"); } - struct key_type kt = tls_crypt_kt(); + struct key_type kt = create_kt("AES-256-CTR", "SHA256", "tls-crypt"); if (!kt.cipher || !kt.digest) { msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported");