From patchwork Thu May 5 01:43:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 2435 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.27.255.57]) by backend41.mail.ord1d.rsapps.net with LMTP id QA31K7C4c2I+EAAAqwncew (envelope-from ) for ; Thu, 05 May 2022 07:44:48 -0400 Received: from proxy12.mail.iad3a.rsapps.net ([172.27.255.57]) by director10.mail.ord1d.rsapps.net with LMTP id MA07ALG4c2K1DwAApN4f7A (envelope-from ) for ; Thu, 05 May 2022 07:44:49 -0400 Received: from smtp49.gate.iad3a ([172.27.255.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.iad3a.rsapps.net with LMTPS id aBjDNLC4c2LfIgAAh9K5Vw (envelope-from ) for ; Thu, 05 May 2022 07:44:48 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp49.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=lichtenheld.com X-Suspicious-Flag: YES X-Classification-ID: c3c3cdf0-cc68-11ec-9dad-525400fffce0-1-1 Received: from [216.105.38.7] ([216.105.38.7:40510] helo=lists.sourceforge.net) by smtp49.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F6/5A-18465-FA8B3726; Thu, 05 May 2022 07:44:48 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nmZtc-00088N-Og; Thu, 05 May 2022 11:43:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nmZtV-00087q-TA for openvpn-devel@lists.sourceforge.net; Thu, 05 May 2022 11:43:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=NAYznHnDBcbPU1ITscAkphLbGSOlZ1ca0bY31G3+V3M=; b=RyV/fGqRzzqPBlxCdcfpH0ZIod IK+3qLp7jB/o0omAD/ctucdVb3ASVp3mUQjfoq9wCyyKVGPVjr8mFaqhPCn9d3hLNFGR2kGs+k5Fc kubSwzjgrMYarXY5Srwvhmm/nEtuGkpmgk17L/GoWZLjv4bakcP8ho34O1Mee7jJb3yo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=NAYznHnDBcbPU1ITscAkphLbGSOlZ1ca0bY31G3+V3M=; b=P AJMLOuYjrdTBERKrph7xMf32CU8B2+jglvnwC1q6EX1nqeFUFl/SiiDgB699Mpk8BrHyH4dy8+OaF MHJ0mYsXmCdtAI6+QK4rQQTKFWea8mnYmewIQKd7wJK1B5ku7v44GVem4cYyLU7+YASNWVEHe2vr4 LtCoQOZTEldG7rAM=; Received: from mout-p-201.mailbox.org ([80.241.56.171]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nmZtT-0006Cz-Az for openvpn-devel@lists.sourceforge.net; Thu, 05 May 2022 11:43:40 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4KvBfL3Tz6z9sp2 for ; Thu, 5 May 2022 13:43:22 +0200 (CEST) From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Thu, 5 May 2022 13:43:22 +0200 Message-Id: <20220505114322.6460-1-frank@lichtenheld.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: I think that makes the code slightly more readable. Signed-off-by: Frank Lichtenheld --- src/openvpn/ssl.c | 20 +++++++++--------- src/openvpn/ssl_backend.h | 35 ++++++++++++++++++ src/openvpn/ssl_mbedtls.c | 44 +++ [...] Content analysis details: (-0.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.171 listed in list.dnswl.org] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nmZtT-0006Cz-Az Subject: [Openvpn-devel] [PATCH] Introduce macros for the returns values of key_state_* X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox I think that makes the code slightly more readable. Signed-off-by: Frank Lichtenheld --- src/openvpn/ssl.c | 20 +++++++++--------- src/openvpn/ssl_backend.h | 35 ++++++++++++++++++------------- src/openvpn/ssl_mbedtls.c | 44 +++++++++++++++++++-------------------- 3 files changed, 52 insertions(+), 47 deletions(-) Might conflict with some of Arne's handshake patches. diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 5b0cdcaa..b174b723 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2599,7 +2599,7 @@ tls_process_state(struct tls_multi *multi, if (buf->len) { status = key_state_write_ciphertext(&ks->ks_ssl, buf); - if (status == -1) + if (status == KS_IO_ERROR) { msg(D_TLS_ERRORS, "TLS Error: Incoming Ciphertext -> TLS object write error"); @@ -2608,9 +2608,9 @@ tls_process_state(struct tls_multi *multi, } else { - status = 1; + status = KS_IO_SUCCESS; } - if (status == 1) + if (status == KS_IO_SUCCESS) { reliable_mark_deleted(ks->rec_reliable, buf); state_change = true; @@ -2627,12 +2627,12 @@ tls_process_state(struct tls_multi *multi, ASSERT(buf_init(buf, 0)); status = key_state_read_plaintext(&ks->ks_ssl, buf, TLS_CHANNEL_BUF_SIZE); update_time(); - if (status == -1) + if (status == KS_IO_ERROR) { msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error"); goto error; } - if (status == 1) + if (status == KS_IO_SUCCESS) { state_change = true; dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext"); @@ -2678,13 +2678,13 @@ tls_process_state(struct tls_multi *multi, if (buf->len) { int status = key_state_write_plaintext(&ks->ks_ssl, buf); - if (status == -1) + if (status == KS_IO_ERROR) { msg(D_TLS_ERRORS, "TLS ERROR: Outgoing Plaintext -> TLS object write error"); goto error; } - if (status == 1) + if (status == KS_IO_SUCCESS) { state_change = true; dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS"); @@ -2699,13 +2699,13 @@ tls_process_state(struct tls_multi *multi, { int status = key_state_read_ciphertext(&ks->ks_ssl, buf, multi->opt.frame.tun_mtu); - if (status == -1) + if (status == KS_IO_ERROR) { msg(D_TLS_ERRORS, "TLS Error: Ciphertext -> reliable TCP/UDP transport read error"); goto error; } - if (status == 1) + if (status == KS_IO_SUCCESS) { reliable_mark_active_outgoing(ks->send_reliable, buf, P_CONTROL_V1); INCR_GENERATED; @@ -3689,7 +3689,7 @@ tls_send_payload(struct tls_multi *multi, if (ks->state >= S_ACTIVE) { - if (key_state_write_plaintext_const(&ks->ks_ssl, data, size) == 1) + if (key_state_write_plaintext_const(&ks->ks_ssl, data, size) == KS_IO_SUCCESS) { ret = true; } diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 1bd33699..d68f02aa 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -32,6 +32,11 @@ #include "buffer.h" +/* key_state_{read,write}_* return values */ +#define KS_IO_SUCCESS 1 +#define KS_IO_RETRY 0 +#define KS_IO_ERROR -1 + #ifdef ENABLE_CRYPTO_OPENSSL #include "ssl_openssl.h" #include "ssl_verify_openssl.h" @@ -427,10 +432,10 @@ key_state_export_keying_material(struct tls_session *session, * * @return The return value indicates whether the data was successfully * processed: - * - \c 1: All the data was processed successfully. - * - \c 0: The data was not processed, this function should be called + * - \c KS_IO_SUCCESS: All the data was processed successfully. + * - \c KS_IO_RETRY: The data was not processed, this function should be called * again later to retry. - * - \c -1: An error occurred. + * - \c KS_IO_ERROR: An error occurred. */ int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf); @@ -444,10 +449,10 @@ int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf); * * @return The return value indicates whether the data was successfully * processed: - * - \c 1: All the data was processed successfully. - * - \c 0: The data was not processed, this function should be called + * - \c KS_IO_SUCCESS: All the data was processed successfully. + * - \c KS_IO_RETRY: The data was not processed, this function should be called * again later to retry. - * - \c -1: An error occurred. + * - \c KS_IO_ERROR: An error occurred. */ int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len); @@ -465,10 +470,10 @@ int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, * * @return The return value indicates whether the data was successfully * processed: - * - \c 1: Data was extracted successfully. - * - \c 0: No data was extracted, this function should be called again + * - \c KS_IO_SUCCESS: Data was extracted successfully. + * - \c KS_IO_RETRY: No data was extracted, this function should be called again * later to retry. - * - \c -1: An error occurred. + * - \c KS_IO_ERROR: An error occurred. */ int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen); @@ -491,10 +496,10 @@ int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf, * * @return The return value indicates whether the data was successfully * processed: - * - \c 1: All the data was processed successfully. - * - \c 0: The data was not processed, this function should be called + * - \c KS_IO_SUCCESS: All the data was processed successfully. + * - \c KS_IO_RETRY: The data was not processed, this function should be called * again later to retry. - * - \c -1: An error occurred. + * - \c KS_IO_ERROR: An error occurred. */ int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf); @@ -512,10 +517,10 @@ int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, * * @return The return value indicates whether the data was successfully * processed: - * - \c 1: Data was extracted successfully. - * - \c 0: No data was extracted, this function should be called again + * - \c KS_IO_SUCCESS: Data was extracted successfully. + * - \c KS_IO_RETRY: No data was extracted, this function should be called again * later to retry. - * - \c -1: An error occurred. + * - \c KS_IO_ERROR: An error occurred. */ int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen); diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index b0785bae..cbaebba4 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1222,13 +1222,13 @@ key_state_ssl_free(struct key_state_ssl *ks_ssl) int key_state_write_plaintext(struct key_state_ssl *ks, struct buffer *buf) { - int retval = 0; + int retval = KS_IO_RETRY; ASSERT(buf); retval = key_state_write_plaintext_const(ks, BPTR(buf), BLEN(buf)); - if (1 == retval) + if (KS_IO_SUCCESS == retval) { memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */ buf->len = 0; @@ -1249,7 +1249,7 @@ key_state_write_plaintext_const(struct key_state_ssl *ks, const uint8_t *data, i if (0 == len) { perf_pop(); - return 0; + return KS_IO_RETRY; } ASSERT(data); @@ -1261,11 +1261,11 @@ key_state_write_plaintext_const(struct key_state_ssl *ks, const uint8_t *data, i perf_pop(); if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) { - return 0; + return KS_IO_RETRY; } mbed_log_err(D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_plaintext_const error"); - return -1; + return KS_IO_ERROR; } if (retval != len) @@ -1274,14 +1274,14 @@ key_state_write_plaintext_const(struct key_state_ssl *ks, const uint8_t *data, i "TLS ERROR: write tls_write_plaintext_const incomplete %d/%d", retval, len); perf_pop(); - return -1; + return KS_IO_ERROR; } /* successful write */ dmsg(D_HANDSHAKE_VERBOSE, "write tls_write_plaintext_const %d bytes", retval); perf_pop(); - return 1; + return KS_IO_SUCCESS; } int @@ -1300,7 +1300,7 @@ key_state_read_ciphertext(struct key_state_ssl *ks, struct buffer *buf, if (buf->len) { perf_pop(); - return 0; + return KS_IO_RETRY; } len = buf_forward_capacity(buf); @@ -1317,25 +1317,25 @@ key_state_read_ciphertext(struct key_state_ssl *ks, struct buffer *buf, perf_pop(); if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) { - return 0; + return KS_IO_RETRY; } mbed_log_err(D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_ciphertext error"); buf->len = 0; - return -1; + return KS_IO_ERROR; } /* Nothing read, try again */ if (0 == retval) { buf->len = 0; perf_pop(); - return 0; + return KS_IO_RETRY; } /* successful read */ dmsg(D_HANDSHAKE_VERBOSE, "read tls_read_ciphertext %d bytes", retval); buf->len = retval; perf_pop(); - return 1; + return KS_IO_SUCCESS; } int @@ -1351,7 +1351,7 @@ key_state_write_ciphertext(struct key_state_ssl *ks, struct buffer *buf) if (0 == buf->len) { perf_pop(); - return 0; + return KS_IO_RETRY; } retval = endless_buf_write(&ks->bio_ctx->in, BPTR(buf), buf->len); @@ -1362,11 +1362,11 @@ key_state_write_ciphertext(struct key_state_ssl *ks, struct buffer *buf) if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) { - return 0; + return KS_IO_RETRY; } mbed_log_err(D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_ciphertext error"); - return -1; + return KS_IO_ERROR; } if (retval != buf->len) @@ -1374,7 +1374,7 @@ key_state_write_ciphertext(struct key_state_ssl *ks, struct buffer *buf) msg(D_TLS_ERRORS, "TLS ERROR: write tls_write_ciphertext incomplete %d/%d", retval, buf->len); perf_pop(); - return -1; + return KS_IO_ERROR; } /* successful write */ @@ -1384,7 +1384,7 @@ key_state_write_ciphertext(struct key_state_ssl *ks, struct buffer *buf) buf->len = 0; perf_pop(); - return 1; + return KS_IO_SUCCESS; } int @@ -1403,7 +1403,7 @@ key_state_read_plaintext(struct key_state_ssl *ks, struct buffer *buf, if (buf->len) { perf_pop(); - return 0; + return KS_IO_RETRY; } len = buf_forward_capacity(buf); @@ -1419,19 +1419,19 @@ key_state_read_plaintext(struct key_state_ssl *ks, struct buffer *buf, { if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) { - return 0; + return KS_IO_RETRY; } mbed_log_err(D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_plaintext error"); buf->len = 0; perf_pop(); - return -1; + return KS_IO_ERROR; } /* Nothing read, try again */ if (0 == retval) { buf->len = 0; perf_pop(); - return 0; + return KS_IO_RETRY; } /* successful read */ @@ -1439,7 +1439,7 @@ key_state_read_plaintext(struct key_state_ssl *ks, struct buffer *buf, buf->len = retval; perf_pop(); - return 1; + return KS_IO_SUCCESS; } /* **************************************