From patchwork Mon Apr 25 02:27:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2414 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 0Li0Jt6TZmJkOAAAqwncew (envelope-from ) for ; Mon, 25 Apr 2022 08:28:14 -0400 Received: from proxy3.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id UAYiCt+TZmICHwAAovjBpQ (envelope-from ) for ; Mon, 25 Apr 2022 08:28:15 -0400 Received: from smtp29.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1d.rsapps.net with LMTPS id qAv8Cd+TZmIXGwAA7WKfLA (envelope-from ) for ; Mon, 25 Apr 2022 08:28:15 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp29.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 2d5a00c8-c493-11ec-8ce6-525400f257a9-1-1 Received: from [216.105.38.7] ([216.105.38.7:46356] helo=lists.sourceforge.net) by smtp29.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id EF/F6-16728-ED396626; Mon, 25 Apr 2022 08:28:14 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nixoK-0002P4-Mi; Mon, 25 Apr 2022 12:27:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nixoJ-0002Oq-Fq for openvpn-devel@lists.sourceforge.net; Mon, 25 Apr 2022 12:27:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=5ag6N0ca8FEoUMn1OFSXv+ooIOsWlQVyVVnvuivs+iU=; b=AGbrLkbXAyBiMlcBWStey9+DTD 7cI8Tjvf1RyM2AYmkT7YiDT4tjHv8m0cZZ8KdHhmhXc+K/0mA+UbSmZ2dmpva31gqGH243Vp7P7vY aL3hVG/LiKog+NM+NBmrmhehYEcq+wvXLiAVKcZn9oHDYXuozktYtyVkCcmfyrRXJuIY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=5ag6N0ca8FEoUMn1OFSXv+ooIOsWlQVyVVnvuivs+iU=; b=YwmhPnwn/+eUJ2f/dyJVgpT3DT 9aGVTRHFoYGbCWXNtuwh8D1QHjiqTrYpozislMp7MKae7TQpygeAVgqbCNrcZmVBffdqyc7c9UahU kI4y0zvwV5veyeoec94HOc4BIuZDGgnF35qYzFC7A3TgH+rvl1yHkNrcJelFiqe6nUc4=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nixoH-0006kE-SL for openvpn-devel@lists.sourceforge.net; Mon, 25 Apr 2022 12:27:22 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1nixo6-00003E-2k for openvpn-devel@lists.sourceforge.net; Mon, 25 Apr 2022 14:27:10 +0200 Received: (nullmailer pid 4148061 invoked by uid 10006); Mon, 25 Apr 2022 12:27:09 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 25 Apr 2022 14:27:09 +0200 Message-Id: <20220425122709.4148015-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220422134038.3801239-4-arne@rfc2549.org> References: <20220422134038.3801239-4-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This prepares for extending this function with the HMAC based session ID check. Replace the check for m->top.c2.tls_auth_standalone with an ASSERT as this code path is only used in multi udp server and OpenVPN initialises the tls_auth_standalone always for the TOP context (CF_INI [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1nixoH-0006kE-SL Subject: [Openvpn-devel] [PATCH v2] Move pre decrypt lite check to its own function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This prepares for extending this function with the HMAC based session ID check. Replace the check for m->top.c2.tls_auth_standalone with an ASSERT as this code path is only used in multi udp server and OpenVPN initialises the tls_auth_standalone always for the TOP context (CF_INIT_TLS_AUTH_STANDALONE), even for the tcp m2mp server that does not use it). Patch v2: replace if with ASSERT Signed-off-by: Arne Schwabe Acked-By: Frank Lichtenheld --- src/openvpn/mudp.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 4fbe3c1a3..780ca171d 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -39,6 +39,17 @@ #include #endif +static bool +do_pre_decrypt_check(struct multi_context *m) +{ + ASSERT(m->top.c2.tls_auth_standalone); + if (!tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)) + { + return false; + } + return true; +} + /* * Get a client instance based on real address. If * the instance doesn't exist, create it while @@ -95,8 +106,7 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated) } if (!mi) { - if (!m->top.c2.tls_auth_standalone - || tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)) + if (do_pre_decrypt_check(m)) { if (frequency_limit_event_allowed(m->new_connection_limiter)) {