From patchwork Fri Jul 29 02:37:48 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2615
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director11.mail.ord1d.rsapps.net ([172.27.255.1])
	by backend30.mail.ord1d.rsapps.net with LMTP
	id +LWFIerU42LLIwAAIUCqbw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Fri, 29 Jul 2022 08:39:06 -0400
Received: from proxy18.mail.iad3a.rsapps.net ([172.27.255.1])
	by director11.mail.ord1d.rsapps.net with LMTP
	id 6FN6IerU42LYJAAAvGGmqA
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Fri, 29 Jul 2022 08:39:06 -0400
Received: from smtp9.gate.iad3a ([172.27.255.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy18.mail.iad3a.rsapps.net with LMTPS
	id p8PwGurU42J1VwAAon3hFg
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Fri, 29 Jul 2022 08:39:06 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp9.gate.iad3a.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=rfc2549.org
X-Suspicious-Flag: YES
X-Classification-ID: 6e8b98de-0f3b-11ed-9b53-52540097fc8c-1-1
Received: from [216.105.38.7] ([216.105.38.7:60166]
 helo=lists.sourceforge.net)
	by smtp9.gate.iad3a.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id EE/07-18962-9E4D3E26; Fri, 29 Jul 2022 08:39:05 -0400
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1oHPFg-00032p-7F; Fri, 29 Jul 2022 12:38:01 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
 (envelope-from <arne@kamera.blinkt.de>) id 1oHPFd-00031p-VB
 for openvpn-devel@lists.sourceforge.net; Fri, 29 Jul 2022 12:37:58 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=eaVoGEgxGQtOhfxrH7031xmn1QCuensQ5ybYYUl51es=; b=ZiD0zOUN3EW61QIg6qfY0ioalj
 cJ+8VwF/Yh7fiZB8Y0I42AOZDpHh9LOaXWWKfWqkQPZ8lKQr+GtuGQy2B7rHlJx0t9b1ASL2UScRT
 +pzHa+5WoOs6Lyo28n6oGpxm40ZqsfqaKFUIW+INdAY9/eRZW20EgZ2HnZ21xyHxvZIQ=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=eaVoGEgxGQtOhfxrH7031xmn1QCuensQ5ybYYUl51es=; b=ii+HkNNWmp+ArJd8V02Q4/cZ3j
 YOXMawEWSHpeffxKY2rpkzA7VcD5jtlaYYGXnajd3cGYI5n/GSsHDc2YfFA42oF3whrul0B4pSGzx
 D6kY6HENTf5GDBpdnSSOMMvNSAxnj6G2kj+w1DzWx8DD+yHf02x8Fzwab9LYDjIvs6j8=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2)
 id 1oHPFb-0000Pc-9E
 for openvpn-devel@lists.sourceforge.net; Fri, 29 Jul 2022 12:37:58 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1oHPFU-000965-KW
 for openvpn-devel@lists.sourceforge.net;
 Fri, 29 Jul 2022 14:37:48 +0200
Received: (nullmailer pid 3267255 invoked by uid 10006);
 Fri, 29 Jul 2022 12:37:48 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Fri, 29 Jul 2022 14:37:48 +0200
Message-Id: <20220729123748.3267207-1-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20220625234150.3398864-1-arne@rfc2549.org>
References: <20220625234150.3398864-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: This allow the code later to check if the cipher is okay to
 use and update it for the calculation for the max MTU size. Signed-off-by:
 Arne Schwabe <arne@rfc2549.org> Patch v2: Name function check_session_cipher
 to better reflect its function --- src/openvpn/ssl.c | 11 +
 src/openvpn/ssl_ncp.c
 | 22 ++++++++++++++++++++++ src/openvpn/ssl_ncp.h | 8 ++++++++ [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1oHPFb-0000Pc-9E
Subject: [Openvpn-devel] [PATCH v4 1/5] Extract check_session_cipher into
 standalone function
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

This allow the code later to check if the cipher is okay to use and
update it for the calculation for the max MTU size.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>

Patch v2: Name function check_session_cipher to better reflect its
          function
---
 src/openvpn/ssl.c     | 11 +----------
 src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++
 src/openvpn/ssl_ncp.h |  8 ++++++++
 3 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 24d7f3f48..ee248b472 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1678,17 +1678,8 @@ tls_session_update_crypto_params(struct tls_session *session,
                                  struct frame *frame_fragment,
                                  struct link_socket_info *lsi)
 {
-
-    bool cipher_allowed_as_fallback = options->enable_ncp_fallback
-                                      && streq(options->ciphername, session->opt->config_ciphername);
-
-    if (!session->opt->server && !cipher_allowed_as_fallback
-        && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
+    if (!check_session_cipher(session, options))
     {
-        msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
-            options->ciphername, options->ncp_ciphers);
-        /* undo cipher push, abort connection setup */
-        options->ciphername = session->opt->config_ciphername;
         return false;
     }
 
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 564942503..a58ced537 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -490,3 +490,25 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
 
     gc_free(&gc);
 }
+
+
+bool
+check_session_cipher(struct tls_session *session, struct options *options)
+{
+    bool cipher_allowed_as_fallback = options->enable_ncp_fallback
+                                      && streq(options->ciphername, session->opt->config_ciphername);
+
+    if (!session->opt->server && !cipher_allowed_as_fallback
+        && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
+    {
+        msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
+            options->ciphername, options->ncp_ciphers);
+        /* undo cipher push, abort connection setup */
+        options->ciphername = session->opt->config_ciphername;
+        return false;
+    }
+    else
+    {
+        return true;
+    }
+}
diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h
index 853017f5f..97c043029 100644
--- a/src/openvpn/ssl_ncp.h
+++ b/src/openvpn/ssl_ncp.h
@@ -148,4 +148,12 @@ const char *
 get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info,
                    struct gc_arena *gc);
 
+
+/**
+ * Checks if the cipher is allowed, otherwise returns false and reset the
+ * cipher to the config cipher.
+ */
+bool
+check_session_cipher(struct tls_session *session, struct options *options);
+
 #endif /* ifndef OPENVPN_SSL_NCP_H */