From patchwork Sat Dec 24 19:42:45 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2941
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133867dyk;
        Sat, 24 Dec 2022 11:43:57 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXv0tL+MJMB5ep1qQOPnFp6BjRgyKzrNcPDE6XeJ7m5CL+yRm/qX4CN+1WJEfSy42enkRPFu
X-Received: by 2002:aa7:9254:0:b0:572:6e9b:9f9e with SMTP id
 20-20020aa79254000000b005726e9b9f9emr15738692pfp.19.1671911037534;
        Sat, 24 Dec 2022 11:43:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671911037; cv=none;
        d=google.com; s=arc-20160816;
        b=H2cRC2Z+n81NZRvfmfC56n6Poh6/YMamN1eG6IdLfTsoTts4d6YteyjjNMMdUKV2u6
         ZjMfu6j0NxtAZ84kD3L/9bKYbPveqICa+NvE+9zLwbO1PdwUVcqFW5/lazTXxj8f86v2
         wqK9wGSW+DY1NvEyeMfqUGEoQ1ubf14FiBo93jwneJ+JAB2EpQq+udQycWQmEmegCsaP
         ZXxawLacDCMWlBof9h86wTIHkLCG3p0XKLnXIgdViCxsBidqo43eYrhnU0YpCeO2vvg4
         UCfQVAnz4z50AkCI9U6u7jmQ6g0XaYLygGgHE0RMZ8SppZukNrKHh9A7Oe9+6mx5wPu1
         6LHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=k3ODGK2h+/TwvyVZiJP6SQVWEg49wNCBcB5AJ3X+Qkw=;
        b=KS8JFFU67TIn7wv5JM8oUjm3qjuj0KAXbmAvLZiFGtYrAlk3WCu6bKAtP4YBDp/SEs
         gINFndusR2fuj+h7vvD76DRyKS9oYwtJdaBlhuV7tU1jDfFIPez2tbgI+/EpcaJoj48L
         3rK3LCtyidrcrttux88DjXqeki3dbVAtyU1SRAXfAPyr0foQy737tlfneMPTSECz0hNk
         VWS9yByjCWaF1meAIYaoIlOuthFuvyrFcyZa6O22agod2WpUXFdNByAhH4Qs7v1L7cYf
         Bcj4kaqLPDEWDVWzlc30C+mmuXSawjYkZkoHgdP3sxW2FrmUMyL5P7NLqufteVV9N7iX
         LJ0w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=k6ENXjo6;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=b78mOQ+V;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 z25-20020a056a001d9900b005739d652a89si6713434pfw.223.2022.12.24.11.43.57
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 24 Dec 2022 11:43:57 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=k6ENXjo6;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=b78mOQ+V;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p9AQH-0000C0-RL;
	Sat, 24 Dec 2022 19:43:09 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQC-0000BS-50
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:04 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=ODybFQR/cjdWTDOyqq/UHxd2PmW4/HWhMrp5VrfNyRg=; b=k6ENXjo6B8d617gMvK66UKqdWy
 /VFw1ljEok71IBJr84K+bkNk7hJBKseGgN0ufZs3Kd6sVnVv3k1rX8KAJdXImFNzXwnoRvaCDgSPs
 hDdp2FOwA7PJqMe2MsmiV2wdzS6sG2ofQxg6FTI50k5HWFj5Yi17r/LrfhZnEASzPWQs=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=ODybFQR/cjdWTDOyqq/UHxd2PmW4/HWhMrp5VrfNyRg=; b=b78mOQ+V+yBgpJ83D4XHZvaDbo
 Yd9AFuCoDj0DAdXDOH+ezBt2SjWMJlrOwh8sDh4yvg2UZ9ihpvLsaiainR9+DE9PW7WmKTtGL5470
 bXl+jdJ+xy7MGELX6P9TBPegw0ElbYOdS4ycQa0Xhgxysr0Y30BAPOJnKMmslT+JazgQ=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p9AQA-0000xh-MI for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:04 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQ1-000H1X-LB
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 20:42:53 +0100
Received: (nullmailer pid 3202280 invoked by uid 10006);
 Sat, 24 Dec 2022 19:42:53 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 24 Dec 2022 20:42:45 +0100
Message-Id: <20221224194253.3202231-2-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221224194253.3202231-1-arne@rfc2549.org>
References: <20221224194253.3202231-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Signed-off-by: Arne Schwabe <arne@rfc2549.org> ---
 src/openvpn/ssl.c
 | 16 ++++++++-------- src/openvpn/ssl.h | 2 +- src/openvpn/ssl_common.h |
 2 +- 3 files changed, 10 insertions(+),
 10 deletions(-) diff --git a/src/openvpn/ssl.c
 b/src/openvpn/ssl.c index 9e5480528..a5fb4fd22 100644 --- a/src/openvpn/ssl.c
 +++ b/src/openvpn/ssl.c @@ -890,8 +890,8 @@ session_index_name(int index)
 case TM_ACTIVE: r [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1p9AQA-0000xh-MI
Subject: [Openvpn-devel] [PATCH 1/9] Rename TM_UNTRUSTED to TM_INITIAL
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1753125788198331354?=
X-GMAIL-MSGID: =?utf-8?q?1753125788198331354?=

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/ssl.c        | 16 ++++++++--------
 src/openvpn/ssl.h        |  2 +-
 src/openvpn/ssl_common.h |  2 +-
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9e5480528..a5fb4fd22 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -890,8 +890,8 @@ session_index_name(int index)
         case TM_ACTIVE:
             return "TM_ACTIVE";
 
-        case TM_UNTRUSTED:
-            return "TM_UNTRUSTED";
+        case TM_INITIAL:
+            return "TM_INITIAL";
 
         case TM_LAME_DUCK:
             return "TM_LAME_DUCK";
@@ -1330,7 +1330,7 @@ tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
 
     if (!multi->opt.single_session)
     {
-        tls_session_init(multi, &multi->session[TM_UNTRUSTED]);
+        tls_session_init(multi, &multi->session[TM_INITIAL]);
     }
 }
 
@@ -3250,7 +3250,7 @@ tls_multi_process(struct tls_multi *multi,
     if (multi->multi_state >= CAS_CONNECT_DONE)
     {
         /* Only generate keys for the TM_ACTIVE session. We defer generating
-         * keys for TM_UNTRUSTED until we actually trust it.
+         * keys for TM_INITIAL until we actually trust it.
          * For TM_LAME_DUCK it makes no sense to generate new keys. */
         struct tls_session *session = &multi->session[TM_ACTIVE];
         struct key_state *ks = &session->key[KS_PRIMARY];
@@ -3299,9 +3299,9 @@ tls_multi_process(struct tls_multi *multi,
      * verification failed.  A semi-trusted session can forward data on the
      * TLS control channel but not on the tunnel channel.
      */
-    if (TLS_AUTHENTICATED(multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY]))
+    if (TLS_AUTHENTICATED(multi, &multi->session[TM_INITIAL].key[KS_PRIMARY]))
     {
-        move_session(multi, TM_ACTIVE, TM_UNTRUSTED, true);
+        move_session(multi, TM_ACTIVE, TM_INITIAL, true);
         msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted",
             tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
 
@@ -3720,7 +3720,7 @@ tls_pre_decrypt(struct tls_multi *multi,
             print_link_socket_actual(from, &gc));
 
         new_link = true;
-        i = TM_UNTRUSTED;
+        i = TM_INITIAL;
         session->untrusted_addr = *from;
     }
     else
@@ -3731,7 +3731,7 @@ tls_pre_decrypt(struct tls_multi *multi,
         /*
          * Packet must belong to an existing session.
          */
-        if (i != TM_ACTIVE && i != TM_UNTRUSTED)
+        if (i != TM_ACTIVE && i != TM_INITIAL)
         {
             msg(D_TLS_ERRORS,
                 "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 55c672d44..bd27e57a0 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -159,7 +159,7 @@ struct tls_multi *tls_multi_init(struct tls_options *tls_options);
  * @ingroup control_processor
  *
  * This function initializes the \c TM_ACTIVE \c tls_session, and in
- * server mode also the \c TM_UNTRUSTED \c tls_session, associated with
+ * server mode also the \c TM_INITIAL \c tls_session, associated with
  * this \c tls_multi structure.  It also configures the control channel's
  * \c frame structure based on the data channel's \c frame given in
  * argument \a frame.
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 978a9fca0..7d9c2460b 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -512,7 +512,7 @@ struct tls_session
  *
  *  @{ */
 #define TM_ACTIVE    0          /**< Active \c tls_session. */
-#define TM_UNTRUSTED 1          /**< As yet un-trusted \c tls_session
+#define TM_INITIAL   1          /**< As yet un-trusted \c tls_session
                                  *   being negotiated. */
 #define TM_LAME_DUCK 2          /**< Old \c tls_session. */
 #define TM_SIZE      3          /**< Size of the \c tls_multi.session