From patchwork Tue Jun 21 06:16:46 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2517
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director8.mail.ord1d.rsapps.net ([172.27.255.56])
	by backend41.mail.ord1d.rsapps.net with LMTP
	id YI98G0PvsWJsKAAAqwncew
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 21 Jun 2022 12:18:11 -0400
Received: from proxy21.mail.iad3a.rsapps.net ([172.27.255.56])
	by director8.mail.ord1d.rsapps.net with LMTP
	id wAeQG0PvsWLXSQAAfY0hYg
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 21 Jun 2022 12:18:11 -0400
Received: from smtp31.gate.iad3a ([172.27.255.56])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy21.mail.iad3a.rsapps.net with LMTPS
	id 0PMlFkPvsWK3RgAASBQwCQ
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 21 Jun 2022 12:18:11 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp31.gate.iad3a.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=rfc2549.org
X-Suspicious-Flag: YES
X-Classification-ID: bdab2c3a-f17d-11ec-96ac-5254003d9392-1-1
Received: from [216.105.38.7] ([216.105.38.7:50480]
 helo=lists.sourceforge.net)
	by smtp31.gate.iad3a.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 6B/22-27102-24FE1B26; Tue, 21 Jun 2022 12:18:10 -0400
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1o3gYs-0008HJ-6J; Tue, 21 Jun 2022 16:17:07 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
 (envelope-from <arne@kamera.blinkt.de>) id 1o3gYq-0008H6-EC
 for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:05 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=08H4yIcIZSxnBdc2xWCpjigBw07xYIYe7hg/pqzBRDo=; b=hpJetLOImgcuCzflFsEz28swsB
 RWlN/uTz9iQ2094Crl4h9mELNd0Uo+lo+msGKLLeUDwjDkzltOsiRMosqpB3VHjwUQ74p+4BbPvoS
 rdhUOnvOAUZEZnjOaC5kFqlm7G1LzKs1zZwuR3Txu14mLLbXsAej78ag5G+WWGHRvces=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=08H4yIcIZSxnBdc2xWCpjigBw07xYIYe7hg/pqzBRDo=; b=IvIe4EN5al8iY5FuSo5EhgykSK
 kj2OI3pAfW2PumajGx9qHgl1Dj1e70GEJ3Wz+knAGvjX5Q/ToZNkox/f8Qd1kRjhXjQy7jDrgDbfz
 Ao22YYSFE5vYrtAzff8TpNqwgmnE6Fpz72j/KvHDvcKBAVpGPx4Fls9rM2Bun1CfRAIc=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2)
 id 1o3gYl-009WjA-Gn
 for openvpn-devel@lists.sourceforge.net; Tue, 21 Jun 2022 16:17:05 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1o3gYc-000DmH-3B
 for openvpn-devel@lists.sourceforge.net;
 Tue, 21 Jun 2022 18:16:50 +0200
Received: (nullmailer pid 2873039 invoked by uid 10006);
 Tue, 21 Jun 2022 16:16:50 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 21 Jun 2022 18:16:46 +0200
Message-Id: <20220621161649.2872985-3-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20220621161649.2872985-1-arne@rfc2549.org>
References: <20220621161649.2872985-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: This allow the code later to check if the cipher is okay to
 use and update it for the calculation for the max MTU size. Signed-off-by:
 Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl.c | 11 +
 src/openvpn/ssl_ncp.c
 | 22 ++++++++++++++++++++++ src/openvpn/ssl_ncp.h | 8 ++++++++ 3 files
 changed,
 31 insertion [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1o3gYl-009WjA-Gn
Subject: [Openvpn-devel] [PATCH 3/6] Extract update_session_cipher into
 standalone function
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

This allow the code later to check if the cipher is okay to use and
update it for the calculation for the max MTU size.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-By: Frank Lichtenheld <frank@lichtenheld.com>
---
 src/openvpn/ssl.c     | 11 +----------
 src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++
 src/openvpn/ssl_ncp.h |  8 ++++++++
 3 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 61dea996d..ddd90080b 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1678,17 +1678,8 @@ tls_session_update_crypto_params(struct tls_session *session,
                                  struct frame *frame_fragment,
                                  struct link_socket_info *lsi)
 {
-
-    bool cipher_allowed_as_fallback = options->enable_ncp_fallback
-                                      && streq(options->ciphername, session->opt->config_ciphername);
-
-    if (!session->opt->server && !cipher_allowed_as_fallback
-        && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
+    if (!update_session_cipher(session, options))
     {
-        msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
-            options->ciphername, options->ncp_ciphers);
-        /* undo cipher push, abort connection setup */
-        options->ciphername = session->opt->config_ciphername;
         return false;
     }
 
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 564942503..c800f718f 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -490,3 +490,25 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
 
     gc_free(&gc);
 }
+
+
+bool
+update_session_cipher(struct tls_session *session, struct options *options)
+{
+    bool cipher_allowed_as_fallback = options->enable_ncp_fallback
+                                      && streq(options->ciphername, session->opt->config_ciphername);
+
+    if (!session->opt->server && !cipher_allowed_as_fallback
+        && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
+    {
+        msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
+            options->ciphername, options->ncp_ciphers);
+        /* undo cipher push, abort connection setup */
+        options->ciphername = session->opt->config_ciphername;
+        return false;
+    }
+    else
+    {
+        return true;
+    }
+}
diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h
index 853017f5f..5ba2f7ae7 100644
--- a/src/openvpn/ssl_ncp.h
+++ b/src/openvpn/ssl_ncp.h
@@ -148,4 +148,12 @@ const char *
 get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info,
                    struct gc_arena *gc);
 
+
+/**
+ * Checks if the cipher is allowed and updates the TLS session cipher with it,
+ * otherwise returns false
+ */
+bool
+update_session_cipher(struct tls_session *session, struct options *options);
+
 #endif /* ifndef OPENVPN_SSL_NCP_H */