From patchwork Sun Dec 5 14:01:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2108 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 8EJNDENhrWF6awAAqwncew (envelope-from ) for ; Sun, 05 Dec 2021 20:02:59 -0500 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id uORnD0NhrWGJVQAAvGGmqA (envelope-from ) for ; Sun, 05 Dec 2021 20:02:59 -0500 Received: from smtp13.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTPS id w8xsHjBhrWFhXwAAgKDEHA (envelope-from ) for ; Sun, 05 Dec 2021 20:02:40 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 40a4d7f6-5630-11ec-aa57-525400b197d9-1-1 Received: from [216.105.38.7] ([216.105.38.7:53604] helo=lists.sourceforge.net) by smtp13.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D8/07-20852-2416DA16; Sun, 05 Dec 2021 20:02:59 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mu2OK-0005UD-F1; Mon, 06 Dec 2021 01:02:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mu2OI-0005U7-Uk for openvpn-devel@lists.sourceforge.net; Mon, 06 Dec 2021 01:02:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=TN3z6Hng4jsNEW0noiFraHNxSjrlFYhFtTPMeElfuBQ=; b=RxH6HbQZRfBP3VX48NxY0xkALQ +veubVe+NdOzoB32WXpOsDdratARZJRHVOTA8OlQKXmRG02mqBmHhCBx1Z4YYxu7/RQkvoWou84zA G/JYF3m7nQvaNg97XajBKTkdjn8AK2uYycaZoJUS27pAHUqSXzskKVB/B1GwbHN0mcAs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=TN3z6Hng4jsNEW0noiFraHNxSjrlFYhFtTPMeElfuBQ=; b=CjELCemYznITiahqrHuTt2AnMZ 7ZsZpH8FpSZcLfqfq1FUuYLD0H3ItopEJxKztJIa5C8hnOaed+Jz0OT3ybgtF/jRx9JNT2XSU0KWr ZA9HiOdE+uhIWWi9eCd7zy9THwdoRYeA3v7xXEZOGene/sv98gnEVa6+KI/p6KSHrULM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mu2OE-0001xN-V1 for openvpn-devel@lists.sourceforge.net; Mon, 06 Dec 2021 01:02:02 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mu2O7-0005mW-5M for openvpn-devel@lists.sourceforge.net; Mon, 06 Dec 2021 02:01:51 +0100 Received: (nullmailer pid 3072837 invoked by uid 10006); Mon, 06 Dec 2021 01:01:51 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 6 Dec 2021 02:01:51 +0100 Message-Id: <20211206010151.3072787-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211201180727.2496903-1-arne@rfc2549.org> References: <20211201180727.2496903-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This field is only set once to cipher_kt_key_size(kt.cipher) at the same time that kt.cipher is set and therefore completely redundant. This field was useful in the past when we supported cipher with variable key length as this field would then store the key length that we would use. Now that we do not support this anymore, we can sim [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mu2OE-0001xN-V1 Subject: [Openvpn-devel] [PATCH v2 5/9] Remove key_type->cipher_length field X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This field is only set once to cipher_kt_key_size(kt.cipher) at the same time that kt.cipher is set and therefore completely redundant. This field was useful in the past when we supported cipher with variable key length as this field would then store the key length that we would use. Now that we do not support this anymore, we can simplify the code. Patch v2: correct print message that would print bytes instead bits. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/crypto.c | 37 +++++++++++++++--------------------- src/openvpn/crypto.h | 1 - src/openvpn/crypto_backend.h | 3 +-- src/openvpn/crypto_mbedtls.c | 3 ++- src/openvpn/crypto_openssl.c | 4 ++-- src/openvpn/options.c | 2 +- src/openvpn/tls_crypt.c | 1 - 7 files changed, 21 insertions(+), 30 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 0d577624e..4d089fcc3 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -744,8 +744,6 @@ init_key_type(struct key_type *kt, const char *ciphername, msg(M_FATAL, "Cipher %s not supported", ciphername); } - kt->cipher_length = cipher_kt_key_size(kt->cipher); - /* check legal cipher mode */ aead_cipher = cipher_kt_mode_aead(kt->cipher); if (!(cipher_kt_mode_cbc(kt->cipher) @@ -811,21 +809,18 @@ init_key_ctx(struct key_ctx *ctx, const struct key *key, { struct gc_arena gc = gc_new(); CLEAR(*ctx); - if (kt->cipher && kt->cipher_length > 0) + if (kt->cipher) { ctx->cipher = cipher_ctx_new(); - cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher_length, - kt->cipher, enc); + cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher, enc); const char *ciphername = cipher_kt_name(kt->cipher); msg(D_HANDSHAKE, "%s: Cipher '%s' initialized with %d bit key", - prefix, - ciphername, - kt->cipher_length *8); + prefix, ciphername, cipher_kt_key_size(kt->cipher) * 8); dmsg(D_SHOW_KEYS, "%s: CIPHER KEY: %s", prefix, - format_hex(key->cipher, kt->cipher_length, 0, &gc)); + format_hex(key->cipher, cipher_kt_key_size(kt->cipher), 0, &gc)); dmsg(D_CRYPTO_DEBUG, "%s: CIPHER block_size=%d iv_size=%d", prefix, cipher_kt_block_size(kt->cipher), cipher_kt_iv_size(kt->cipher)); @@ -899,8 +894,8 @@ free_key_ctx_bi(struct key_ctx_bi *ctx) static bool key_is_zero(struct key *key, const struct key_type *kt) { - int i; - for (i = 0; i < kt->cipher_length; ++i) + int cipher_length = cipher_kt_key_size(kt->cipher); + for (int i = 0; i < cipher_length; ++i) { if (key->cipher[i]) { @@ -959,10 +954,7 @@ generate_key_random(struct key *key, const struct key_type *kt) CLEAR(*key); if (kt) { - if (kt->cipher && kt->cipher_length > 0 && kt->cipher_length <= cipher_len) - { - cipher_len = kt->cipher_length; - } + cipher_len = cipher_kt_key_size(kt->cipher); if (kt->digest && kt->hmac_length > 0 && kt->hmac_length <= hmac_len) { @@ -996,13 +988,13 @@ key2_print(const struct key2 *k, ASSERT(k->n == 2); dmsg(D_SHOW_KEY_SOURCE, "%s (cipher): %s", prefix0, - format_hex(k->keys[0].cipher, kt->cipher_length, 0, &gc)); + format_hex(k->keys[0].cipher, cipher_kt_key_size(kt->cipher), 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "%s (hmac): %s", prefix0, format_hex(k->keys[0].hmac, kt->hmac_length, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "%s (cipher): %s", prefix1, - format_hex(k->keys[1].cipher, kt->cipher_length, 0, &gc)); + format_hex(k->keys[1].cipher, cipher_kt_key_size(kt->cipher), 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "%s (hmac): %s", prefix1, format_hex(k->keys[1].hmac, kt->hmac_length, 0, &gc)); @@ -1532,10 +1524,11 @@ bool write_key(const struct key *key, const struct key_type *kt, struct buffer *buf) { - ASSERT(kt->cipher_length <= MAX_CIPHER_KEY_LENGTH + ASSERT(cipher_kt_key_size(kt->cipher) <= MAX_CIPHER_KEY_LENGTH && kt->hmac_length <= MAX_HMAC_KEY_LENGTH); - if (!buf_write(buf, &kt->cipher_length, 1)) + const uint8_t cipher_length = cipher_kt_key_size(kt->cipher); + if (!buf_write(buf, &cipher_length, 1)) { return false; } @@ -1543,7 +1536,7 @@ write_key(const struct key *key, const struct key_type *kt, { return false; } - if (!buf_write(buf, key->cipher, kt->cipher_length)) + if (!buf_write(buf, key->cipher, cipher_kt_key_size(kt->cipher))) { return false; } @@ -1577,7 +1570,7 @@ read_key(struct key *key, const struct key_type *kt, struct buffer *buf) goto read_err; } - if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length) + if (cipher_length != cipher_kt_key_size(kt->cipher) || hmac_length != kt->hmac_length) { goto key_len_err; } @@ -1600,7 +1593,7 @@ read_err: key_len_err: msg(D_TLS_ERRORS, "TLS Error: key length mismatch, local cipher/hmac %d/%d, remote cipher/hmac %d/%d", - kt->cipher_length, kt->hmac_length, cipher_length, hmac_length); + cipher_kt_key_size(kt->cipher), kt->hmac_length, cipher_length, hmac_length); return 0; } diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index f1af8df84..8998a74f9 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -138,7 +138,6 @@ struct sha256_digest { */ struct key_type { - uint8_t cipher_length; /**< Cipher length, in bytes */ uint8_t hmac_length; /**< HMAC length, in bytes */ const cipher_kt_t *cipher; /**< Cipher static parameters */ const md_kt_t *digest; /**< Message digest static parameters */ diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 925d1db37..d4dd93c3a 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -323,12 +323,11 @@ void cipher_ctx_free(cipher_ctx_t *ctx); * * @param ctx Cipher context. May not be NULL * @param key Buffer containing the key to use - * @param key_len Length of the key, in bytes * @param kt Static cipher parameters to use * @param enc Whether to encrypt or decrypt (either * \c MBEDTLS_OP_ENCRYPT or \c MBEDTLS_OP_DECRYPT). */ -void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, int key_len, +void cipher_ctx_init(cipher_ctx_t *ctx, const uint8_t *key, const cipher_kt_t *kt, int enc); /** diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 566baadde..feb97bc94 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -534,10 +534,11 @@ cipher_ctx_free(mbedtls_cipher_context_t *ctx) } void -cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key, int key_len, +cipher_ctx_init(mbedtls_cipher_context_t *ctx, const uint8_t *key, const mbedtls_cipher_info_t *kt, const mbedtls_operation_t operation) { ASSERT(NULL != kt && NULL != ctx); + int key_len = cipher_kt_key_size(kt); CLEAR(*ctx); diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 9d6c7c807..8b53b2ce8 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -754,7 +754,7 @@ cipher_ctx_free(EVP_CIPHER_CTX *ctx) } void -cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, +cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, const EVP_CIPHER *kt, int enc) { ASSERT(NULL != kt && NULL != ctx); @@ -770,7 +770,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, } /* make sure we used a big enough key */ - ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= key_len); + ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= EVP_CIPHER_key_length(kt)); } int diff --git a/src/openvpn/options.c b/src/openvpn/options.c index cc3d9fa07..928f7e8a3 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3988,7 +3988,7 @@ options_string(const struct options *o, { init_key_type(&kt, o->ciphername, o->authname, true, false); ciphername = cipher_kt_name(kt.cipher); - keysize = kt.cipher_length * 8; + keysize = cipher_kt_key_size(kt.cipher) * 8; } /* Only announce the cipher to our peer if we are willing to * support it */ diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 663f5e169..8403363e2 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -65,7 +65,6 @@ tls_crypt_kt(void) return (struct key_type) { 0 }; } - kt.cipher_length = cipher_kt_key_size(kt.cipher); kt.hmac_length = md_kt_size(kt.digest); return kt;