From patchwork Thu Feb 17 03:32:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2300 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id YC7GALNcDmIccgAAqwncew (envelope-from ) for ; Thu, 17 Feb 2022 09:33:23 -0500 Received: from proxy9.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id 8EPqGLNcDmIFAgAAalYnBA (envelope-from ) for ; Thu, 17 Feb 2022 09:33:23 -0500 Received: from smtp9.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1d.rsapps.net with LMTPS id yDunGLNcDmK5cgAA7h+8OQ (envelope-from ) for ; Thu, 17 Feb 2022 09:33:23 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 8ef49cb8-8ffe-11ec-8cf8-0026b95bddb7-1-1 Received: from [216.105.38.7] ([216.105.38.7:50026] helo=lists.sourceforge.net) by smtp9.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E9/6B-15515-2BC5E026; Thu, 17 Feb 2022 09:33:23 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nKhpq-0005iE-Jr; Thu, 17 Feb 2022 14:32:41 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nKhpe-0005i0-S9 for openvpn-devel@lists.sourceforge.net; Thu, 17 Feb 2022 14:32:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ChUSQl/r+79dSZnnYTLbeMwPbGOlbjuhmYfKg1uvFSY=; b=Kf7P4nJM2nQhsu/l9+OVRNwMUB tJOxCBxJa+MYJJLxNm1ecCUqvdmun1iOxFZQDtAN8cl5mD0T4/hKzUrIdaYR18HtuhJkhIdQ2JSmp ERekafmM34zGsJHS9NFr7g9U3lR2M2z4LrLZWlcvHyrIV9MRXz+YhGvJQUXNkd/3Ptpo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ChUSQl/r+79dSZnnYTLbeMwPbGOlbjuhmYfKg1uvFSY=; b=eGL4ZT7J9QAQqCl0buQh0LkObV /4bdGYbjcuoZBMslYCgw9gCb9RH8bkuuTGxyWK5M2jDm45aSTVPK5D5G+2ICNwKLd5dD7wr0rVVBx 9G27F1yJ/cuYd1M51NUgUuSrQmTITYDY3J3/9oZluPInlQ7lJ2YF1D8hSC00aViIFWbU=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nKhpV-004qi4-IA for openvpn-devel@lists.sourceforge.net; Thu, 17 Feb 2022 14:32:23 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Thu, 17 Feb 2022 15:32:41 +0100 Message-Id: <20220217143241.18766-1-a@unstable.cc> In-Reply-To: <20220217142306.8108-1-a@unstable.cc> References: <20220217142306.8108-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: At the moment we have tls_crypt_kt() and auth_token_kt that basically do the same thing, but with different algorithms used to inizialise the structure. In order to avoid code duplication and copy/paste errors, unify code and make it parametric, so that it can be re-used in various places. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nKhpV-004qi4-IA Subject: [Openvpn-devel] [PATCH v2] crypto: unify key_type creation code X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox At the moment we have tls_crypt_kt() and auth_token_kt that basically do the same thing, but with different algorithms used to inizialise the structure. In order to avoid code duplication and copy/paste errors, unify code and make it parametric, so that it can be re-used in various places. Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- Changes from v1: * added doc for optname param --- src/openvpn/auth_token.c | 20 +------------------- src/openvpn/crypto.h | 32 ++++++++++++++++++++++++++++++++ src/openvpn/tls_crypt.c | 27 +++------------------------ 3 files changed, 36 insertions(+), 43 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 10c9dde6..6aae73c9 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -30,24 +30,6 @@ const char *auth_token_pem_name = "OpenVPN auth-token server key"; /* Size of the data of the token (not b64 encoded and without prefix) */ #define TOKEN_DATA_LEN (2 * sizeof(int64_t) + AUTH_TOKEN_SESSION_ID_LEN + 32) -static struct key_type -auth_token_kt(void) -{ - struct key_type kt = { 0 }; - /* We do not encrypt our session tokens */ - kt.cipher = "none"; - kt.digest = "SHA256"; - - if (!md_valid(kt.digest)) - { - msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); - return (struct key_type) { 0 }; - } - - return kt; -} - - void add_session_token_env(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up) @@ -138,7 +120,7 @@ void auth_token_init_secret(struct key_ctx *key_ctx, const char *key_file, bool key_inline) { - struct key_type kt = auth_token_kt(); + struct key_type kt = create_kt("none", "SHA256", "auth-gen-token"); struct buffer server_secret_key = alloc_buf(2048); diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 6e505517..132aeaa5 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -547,4 +547,36 @@ key_ctx_bi_defined(const struct key_ctx_bi *key) */ const char *print_key_filename(const char *str, bool is_inline); +/** + * Creates and validates an instance of struct key_type with the provided + * algs. + * + * @param cipher the cipher algorithm to use (must be a string literal) + * @param md the digest algorithm to use (must be a string literal) + * @param optname the name of the option requiring the key_type object + * + * @return the initialized key_type instance + */ +static inline struct key_type +create_kt(const char *cipher, const char *md, const char *optname) +{ + struct key_type kt; + kt.cipher = cipher; + kt.digest = md; + + if (cipher_defined(kt.cipher) && !cipher_valid(kt.cipher)) + { + msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.cipher); + return (struct key_type) { 0 }; + } + if (md_defined(kt.digest) && !md_valid(kt.digest)) + { + msg(M_WARN, "ERROR: --%s requires %s support.", optname, kt.digest); + return (struct key_type) { 0 }; + } + + return kt; +} + + #endif /* CRYPTO_H */ diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index aae2a917..99e85010 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -47,27 +47,6 @@ static const uint8_t TLS_CRYPT_METADATA_TYPE_USER = 0x00; /** Metadata contains a 64-bit unix timestamp in network byte order */ static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP = 0x01; -static struct key_type -tls_crypt_kt(void) -{ - struct key_type kt; - kt.cipher = "AES-256-CTR"; - kt.digest = "SHA256"; - - if (!cipher_valid(kt.cipher)) - { - msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support."); - return (struct key_type) { 0 }; - } - if (!md_valid(kt.digest)) - { - msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); - return (struct key_type) { 0 }; - } - - return kt; -} - int tls_crypt_buf_overhead(void) { @@ -80,7 +59,7 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, { const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; - struct key_type kt = tls_crypt_kt(); + struct key_type kt = create_kt("AES-256-CTR", "SHA256", "tls-crypt"); if (!kt.cipher || !kt.digest) { msg(M_FATAL, "ERROR: --tls-crypt not supported"); @@ -271,7 +250,7 @@ tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2, { const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; - struct key_type kt = tls_crypt_kt(); + struct key_type kt = create_kt("AES-256-CTR", "SHA256", "tls-crypt"); if (!kt.cipher || !kt.digest) { msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported"); @@ -319,7 +298,7 @@ tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, msg(M_FATAL, "ERROR: invalid tls-crypt-v2 server key format"); } - struct key_type kt = tls_crypt_kt(); + struct key_type kt = create_kt("AES-256-CTR", "SHA256", "tls-crypt"); if (!kt.cipher || !kt.digest) { msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported");