| Message ID | 20220625234150.3398864-1-arne@rfc2549.org |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [Openvpn-devel,v3,1/5] Extract update_session_cipher into standalone function | expand |
Hi, On Sun, Jun 26, 2022 at 01:41:46AM +0200, Arne Schwabe wrote: > + > +/** > + * Checks if the cipher is allowed and updates the TLS session cipher with it, > + * otherwise returns false > + */ > +bool > +update_session_cipher(struct tls_session *session, struct options *options); > + Is that comment correct? I can't find any "updating" here, only "checking". What am I overlooking? gert
Am 27.07.22 um 20:58 schrieb Gert Doering: > Hi, > > On Sun, Jun 26, 2022 at 01:41:46AM +0200, Arne Schwabe wrote: >> + >> +/** >> + * Checks if the cipher is allowed and updates the TLS session cipher with it, >> + * otherwise returns false >> + */ >> +bool >> +update_session_cipher(struct tls_session *session, struct options *options); >> + > > Is that comment correct? I can't find any "updating" here, only "checking". > > What am I overlooking? > It sets options->cipher sometimes but the name is misleading. I will rename to check_session_cipher Arne
Hi, On Thu, Jul 28, 2022 at 03:47:53PM +0200, Arne Schwabe wrote: > > Is that comment correct? I can't find any "updating" here, only "checking". > > > > What am I overlooking? > > It sets options->cipher sometimes but the name is misleading. I will > rename to check_session_cipher The "options->cipher setting" part is more "restore to config if requested cipher is not allowed" - so that one I understood ;-) gert
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 61dea996d..ddd90080b 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1678,17 +1678,8 @@ tls_session_update_crypto_params(struct tls_session *session, struct frame *frame_fragment, struct link_socket_info *lsi) { - - bool cipher_allowed_as_fallback = options->enable_ncp_fallback - && streq(options->ciphername, session->opt->config_ciphername); - - if (!session->opt->server && !cipher_allowed_as_fallback - && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) + if (!update_session_cipher(session, options)) { - msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", - options->ciphername, options->ncp_ciphers); - /* undo cipher push, abort connection setup */ - options->ciphername = session->opt->config_ciphername; return false; } diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 564942503..c800f718f 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -490,3 +490,25 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session) gc_free(&gc); } + + +bool +update_session_cipher(struct tls_session *session, struct options *options) +{ + bool cipher_allowed_as_fallback = options->enable_ncp_fallback + && streq(options->ciphername, session->opt->config_ciphername); + + if (!session->opt->server && !cipher_allowed_as_fallback + && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) + { + msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", + options->ciphername, options->ncp_ciphers); + /* undo cipher push, abort connection setup */ + options->ciphername = session->opt->config_ciphername; + return false; + } + else + { + return true; + } +} diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h index 853017f5f..5ba2f7ae7 100644 --- a/src/openvpn/ssl_ncp.h +++ b/src/openvpn/ssl_ncp.h @@ -148,4 +148,12 @@ const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc); + +/** + * Checks if the cipher is allowed and updates the TLS session cipher with it, + * otherwise returns false + */ +bool +update_session_cipher(struct tls_session *session, struct options *options); + #endif /* ifndef OPENVPN_SSL_NCP_H */
This allow the code later to check if the cipher is okay to use and update it for the calculation for the max MTU size. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl.c | 11 +---------- src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++ src/openvpn/ssl_ncp.h | 8 ++++++++ 3 files changed, 31 insertions(+), 10 deletions(-)