From patchwork Fri Jun 24 01:13:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2549 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id /T9CAZKctWKOWQAAIUCqbw (envelope-from ) for ; Fri, 24 Jun 2022 07:14:26 -0400 Received: from proxy16.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id 4BlCAJKctWKaWgAAalYnBA (envelope-from ) for ; Fri, 24 Jun 2022 07:14:26 -0400 Received: from smtp8.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.iad3b.rsapps.net with LMTPS id iNtlNpGctWLRBQAAPj+4aA (envelope-from ) for ; Fri, 24 Jun 2022 07:14:25 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: cdcd9c32-f3ae-11ec-a865-5254005eee35-1-1 Received: from [216.105.38.7] ([216.105.38.7:37806] helo=lists.sourceforge.net) by smtp8.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 05/8E-12116-09C95B26; Fri, 24 Jun 2022 07:14:25 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o4hFi-0004xP-2y; Fri, 24 Jun 2022 11:13:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o4hFg-0004xB-Nc for openvpn-devel@lists.sourceforge.net; Fri, 24 Jun 2022 11:13:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=08H4yIcIZSxnBdc2xWCpjigBw07xYIYe7hg/pqzBRDo=; b=QlBDA0WXMlq1qB0mHYPzBco5Ox /znwwx2GZ9WQ6VXHSVsxQgY3gnjkPZWioHFnvBdhg7IfU+zhFFhnRMU24iQit9/bK84YFUSlGxDlB iehrAz5ZmWUFLZosIfLK6pW9JPbFZuR5F0AeC13O7AvST8LegPNnjL4xil8lm1A/pr9c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=08H4yIcIZSxnBdc2xWCpjigBw07xYIYe7hg/pqzBRDo=; b=H KSGfpyPwG06FG4Sgw+VeRyor0S/G+5MzRcrHz5H+CqBp4jM7tS4Y3SYtB2Dob7YiPwhoUazDLxlqz lVcstlxYcRveJJSbgFM14Xt2uhUYIYeNbrNktECdm07+raXi+6ulJlOLDMZAc/qHO/OzIGxjbxn9d bPSAnO8e+2De5CrY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o4hFd-00C8IW-IA for openvpn-devel@lists.sourceforge.net; Fri, 24 Jun 2022 11:13:27 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1o4hFW-0007m1-W7 for openvpn-devel@lists.sourceforge.net; Fri, 24 Jun 2022 13:13:19 +0200 Received: (nullmailer pid 3220028 invoked by uid 10006); Fri, 24 Jun 2022 11:13:18 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 24 Jun 2022 13:13:15 +0200 Message-Id: <20220624111318.3219982-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This allow the code later to check if the cipher is okay to use and update it for the calculation for the max MTU size. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 11 + src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++ src/openvpn/ssl_ncp.h | 8 ++++++++ 3 files changed, 31 insertion [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1o4hFd-00C8IW-IA Subject: [Openvpn-devel] [PATCH v2 1/4] Extract update_session_cipher into standalone function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allow the code later to check if the cipher is okay to use and update it for the calculation for the max MTU size. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 11 +---------- src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++ src/openvpn/ssl_ncp.h | 8 ++++++++ 3 files changed, 31 insertions(+), 10 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 61dea996d..ddd90080b 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1678,17 +1678,8 @@ tls_session_update_crypto_params(struct tls_session *session, struct frame *frame_fragment, struct link_socket_info *lsi) { - - bool cipher_allowed_as_fallback = options->enable_ncp_fallback - && streq(options->ciphername, session->opt->config_ciphername); - - if (!session->opt->server && !cipher_allowed_as_fallback - && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) + if (!update_session_cipher(session, options)) { - msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", - options->ciphername, options->ncp_ciphers); - /* undo cipher push, abort connection setup */ - options->ciphername = session->opt->config_ciphername; return false; } diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 564942503..c800f718f 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -490,3 +490,25 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session) gc_free(&gc); } + + +bool +update_session_cipher(struct tls_session *session, struct options *options) +{ + bool cipher_allowed_as_fallback = options->enable_ncp_fallback + && streq(options->ciphername, session->opt->config_ciphername); + + if (!session->opt->server && !cipher_allowed_as_fallback + && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) + { + msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", + options->ciphername, options->ncp_ciphers); + /* undo cipher push, abort connection setup */ + options->ciphername = session->opt->config_ciphername; + return false; + } + else + { + return true; + } +} diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h index 853017f5f..5ba2f7ae7 100644 --- a/src/openvpn/ssl_ncp.h +++ b/src/openvpn/ssl_ncp.h @@ -148,4 +148,12 @@ const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc); + +/** + * Checks if the cipher is allowed and updates the TLS session cipher with it, + * otherwise returns false + */ +bool +update_session_cipher(struct tls_session *session, struct options *options); + #endif /* ifndef OPENVPN_SSL_NCP_H */