From patchwork Wed Aug 17 13:32:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2688 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.27.255.52]) by backend30.mail.ord1d.rsapps.net with LMTP id GN4hEMsl/mJANQAAIUCqbw (envelope-from ) for ; Thu, 18 Aug 2022 07:43:07 -0400 Received: from proxy17.mail.iad3a.rsapps.net ([172.27.255.52]) by director11.mail.ord1d.rsapps.net with LMTP id 6K7CD8sl/mJjTwAAvGGmqA (envelope-from ) for ; Thu, 18 Aug 2022 07:43:07 -0400 Received: from smtp1.gate.iad3a ([172.27.255.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.iad3a.rsapps.net with LMTPS id aJmfLMsl/mJAYAAAR4KW9A (envelope-from ) for ; Thu, 18 Aug 2022 07:43:07 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: patchwork@openvpn.net X-Originating-Ip: [192.26.174.232] Authentication-Results: smtp1.gate.iad3a.rsapps.net; iprev=pass policy.iprev="192.26.174.232"; spf=pass smtp.mailfrom="arne@rfc2549.org" smtp.helo="mail.blinkt.de"; dkim=none (message not signed) header.d=none; dmarc=fail (p=none; dis=none) header.from=unstable.cc X-Suspicious-Flag: NO X-Classification-ID: ecad636e-1eea-11ed-97b4-52540091dea5-1-1 Received: from [192.26.174.232] ([192.26.174.232:13719] helo=mail.blinkt.de) by smtp1.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 43/8F-30080-AC52EF26; Thu, 18 Aug 2022 07:43:07 -0400 Received: from [195.70.183.100] (helo=[192.168.12.111]) by mail.blinkt.de with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oOdvV-0000UP-Pb for patchwork@openvpn.net; Thu, 18 Aug 2022 13:43:05 +0200 Resent-From: Arne Schwabe Resent-To: patchwork@openvpn.net Resent-Date: Thu, 18 Aug 2022 13:43:05 +0200 Resent-Message-ID: <563d84ad-3f40-5fdc-ba1e-a7ba83957937@rfc2549.org> Received: from mail.blinkt.de ([unix socket]) by mail.blinkt.de (Cyrus 3.4.4) with LMTPA; Thu, 18 Aug 2022 01:34:43 +0200 X-Cyrus-Session-Id: mail.blinkt.de-1660779283-88235-2-3622600328836827399 X-Sieve: CMU Sieve 3.0 Received: from lists.sourceforge.net ([216.105.38.7]) by mail.blinkt.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oOSYc-000Mx4-Nt for arne@rfc2549.org; Thu, 18 Aug 2022 01:34:43 +0200 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oOSXG-0007Ov-Nc; Wed, 17 Aug 2022 23:33:18 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oOSXF-0007Op-PX for openvpn-devel@lists.sourceforge.net; Wed, 17 Aug 2022 23:33:17 +0000 Received: from wilbur.contactoffice.com ([212.3.242.68]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oOSXE-007258-Jw for openvpn-devel@lists.sourceforge.net; Wed, 17 Aug 2022 23:33:17 +0000 Received: from smtpauth2.co-bxl (smtpauth2.co-bxl [10.2.0.24]) by wilbur.contactoffice.com (Postfix) with ESMTP id 6F78A4262; Thu, 18 Aug 2022 01:33:10 +0200 (CEST) Received: by smtp.mailfence.com with ESMTPSA ; Thu, 18 Aug 2022 01:33:06 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Thu, 18 Aug 2022 01:32:48 +0200 Message-Id: <20220817233248.137722-1-a@unstable.cc> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-ContactOffice-Account: com:375058688 X-Headers-End: 1oOSXE-007258-Jw Subject: [Openvpn-devel] [PATCH] push-peer-info: rearrange function generating peer info X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-Spam-Bar: + X-getmail-retrieved-from-mailbox: Inbox This patch is supposed to implement no function change. The only change in behaviour that can be observed is the IV_/UV_ variables being printed in different order compared to before applying this patch. However, order does not matter, so we don't need to retain it. What this change really does is rearranging the push_peer_info() function so that it becomes much more clear which variable is printed depending on the peer-info detail level. The original code was mixed up, and figuring the above out required reading this function multiple times. This rearrangement puts everything in a switch/case block with sorted peer-info details levels appearing one after the other. While at it, the for loop extracting the wanted env variables has been restructured a bit to avoid uber long conditions and extreme indentation. Signed-off-by: Antonio Quartulli --- src/openvpn/ssl.c | 229 +++++++++++++++++++++++++++------------------- 1 file changed, 134 insertions(+), 95 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 33e145b3..45e76024 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1932,134 +1932,173 @@ push_peer_info(struct buffer *buf, struct tls_session *session) bool ret = false; struct buffer out = alloc_buf_gc(512 * 3, &gc); - if (session->opt->push_peer_info_detail > 1) + switch (session->opt->push_peer_info_detail) { - /* push version */ - buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION); + case 3: + { + /* push mac addr */ + struct route_gateway_info rgi; + get_default_gateway(&rgi, session->opt->net_ctx); + if (rgi.flags & RGI_HWADDR_DEFINED) + { + buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc)); + } + buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() ); +#if defined(_WIN32) + buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc, false)); +#endif + + struct env_set *es = session->opt->es; + /* push env vars that begin with UV_, IV_PLAT_VER= */ + for (struct env_item *e = es->list; e != NULL; e = e->next) + { + /* ensure we have a string */ + if (!e->string) + { + continue; + } - /* push platform */ + /* ensure string will fit output buffer */ + if (!buf_safe(&out, strlen(e->string) + 1)) + { + continue; + } + + /* don't accept any var except for those starting with UV_ or + * IV_PLAT_VER= only + */ + if ((strncmp(e->string, "UV_", sizeof("UV_") - 1) != 0) + && (strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) != 0)) + { + continue; + } + + buf_printf(&out, "%s\n", e->string); + } + } + /* fall through */ + case 2: + { + /* push version */ + buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION); + + /* push platform */ #if defined(TARGET_LINUX) - buf_printf(&out, "IV_PLAT=linux\n"); + buf_printf(&out, "IV_PLAT=linux\n"); #elif defined(TARGET_SOLARIS) - buf_printf(&out, "IV_PLAT=solaris\n"); + buf_printf(&out, "IV_PLAT=solaris\n"); #elif defined(TARGET_OPENBSD) - buf_printf(&out, "IV_PLAT=openbsd\n"); + buf_printf(&out, "IV_PLAT=openbsd\n"); #elif defined(TARGET_DARWIN) - buf_printf(&out, "IV_PLAT=mac\n"); + buf_printf(&out, "IV_PLAT=mac\n"); #elif defined(TARGET_NETBSD) - buf_printf(&out, "IV_PLAT=netbsd\n"); + buf_printf(&out, "IV_PLAT=netbsd\n"); #elif defined(TARGET_FREEBSD) - buf_printf(&out, "IV_PLAT=freebsd\n"); + buf_printf(&out, "IV_PLAT=freebsd\n"); #elif defined(TARGET_ANDROID) - buf_printf(&out, "IV_PLAT=android\n"); + buf_printf(&out, "IV_PLAT=android\n"); #elif defined(_WIN32) - buf_printf(&out, "IV_PLAT=win\n"); + buf_printf(&out, "IV_PLAT=win\n"); #endif - /* Announce that we do not require strict sequence numbers with - * TCP. (TCP non-linear) */ - buf_printf(&out, "IV_TCPNL=1\n"); - } - /* These are the IV variable that are sent to peers in p2p mode */ - if (session->opt->push_peer_info_detail > 0) - { - /* support for P_DATA_V2 */ - int iv_proto = IV_PROTO_DATA_V2; + /* Announce that we do not require strict sequence numbers with + * TCP. (TCP non-linear) */ + buf_printf(&out, "IV_TCPNL=1\n"); - /* support for the --dns option */ - iv_proto |= IV_PROTO_DNS_OPTION; - - /* support for receiving push_reply before sending - * push request, also signal that the client wants - * to get push-reply messages without without requiring a round - * trip for a push request message*/ - if (session->opt->pull) - { - iv_proto |= IV_PROTO_REQUEST_PUSH; - iv_proto |= IV_PROTO_AUTH_PENDING_KW; - } + /* push compression status */ +#ifdef USE_COMP + comp_generate_peer_info_string(&session->opt->comp_options, &out); +#endif - /* support for Negotiable Crypto Parameters */ - if (session->opt->mode == MODE_SERVER || session->opt->pull) - { - if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers) - && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers)) + struct env_set *es = session->opt->es; + /* push env vars that begin with IV_GUI_VER= and IV_SSO= */ + for (struct env_item *e = es->list; e != NULL; e = e->next) { + /* ensure we have a string */ + if (!e->string) + { + continue; + } + + /* ensure string will fit output buffer */ + if (!buf_safe(&out, strlen(e->string) + 1)) + { + continue; + } - buf_printf(&out, "IV_NCP=2\n"); + /* don't accept any var except for those starting with + * IV_GUI_VER= or IV_SSO= only + */ + if ((strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) != 0) + && (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) != 0)) + { + continue; + } + + buf_printf(&out, "%s\n", e->string); } } - else + /* fall through */ + case 1: { - /* We are not using pull or p2mp server, instead do P2P NCP */ - iv_proto |= IV_PROTO_NCP_P2P; - } + /* support for P_DATA_V2 */ + int iv_proto = IV_PROTO_DATA_V2; - buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers); + /* support for the --dns option */ + iv_proto |= IV_PROTO_DNS_OPTION; + + /* support for receiving push_reply before sending + * push request, also signal that the client wants + * to get push-reply messages without without requiring a round + * trip for a push request message*/ + if (session->opt->pull) + { + iv_proto |= IV_PROTO_REQUEST_PUSH; + iv_proto |= IV_PROTO_AUTH_PENDING_KW; + } + + /* support for Negotiable Crypto Parameters */ + if (session->opt->mode == MODE_SERVER || session->opt->pull) + { + if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers) + && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers)) + { + + buf_printf(&out, "IV_NCP=2\n"); + } + } + else + { + /* We are not using pull or p2mp server, instead do P2P NCP */ + iv_proto |= IV_PROTO_NCP_P2P; + } #ifdef HAVE_EXPORT_KEYING_MATERIAL - iv_proto |= IV_PROTO_TLS_KEY_EXPORT; + iv_proto |= IV_PROTO_TLS_KEY_EXPORT; #endif - buf_printf(&out, "IV_PROTO=%d\n", iv_proto); + buf_printf(&out, "IV_PROTO=%d\n", iv_proto); - if (session->opt->push_peer_info_detail > 1) - { - /* push compression status */ -#ifdef USE_COMP - comp_generate_peer_info_string(&session->opt->comp_options, &out); -#endif - } + buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers); - if (session->opt->push_peer_info_detail > 2) - { - /* push mac addr */ - struct route_gateway_info rgi; - get_default_gateway(&rgi, session->opt->net_ctx); - if (rgi.flags & RGI_HWADDR_DEFINED) + if (!write_string(buf, BSTR(&out), -1)) { - buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc)); + goto error; } - buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() ); -#if defined(_WIN32) - buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc, false)); -#endif + break; } - - if (session->opt->push_peer_info_detail > 1) - { - struct env_set *es = session->opt->es; - /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */ - for (struct env_item *e = es->list; e != NULL; e = e->next) + case 0: + if (!write_empty_string(buf)) { - if (e->string) - { - if ((((strncmp(e->string, "UV_", 3) == 0 - || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0) - && session->opt->push_peer_info_detail > 2) - || (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0) - || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0) - ) - && buf_safe(&out, strlen(e->string) + 1)) - { - buf_printf(&out, "%s\n", e->string); - } - } + goto error; } - } - - if (!write_string(buf, BSTR(&out), -1)) - { - goto error; - } - } - else - { - if (!write_empty_string(buf)) /* no peer info */ - { + break; + /* invalid value configured */ + default: + msg(M_WARN, "Invalid peer-info-detail level %d", session->opt->push_peer_info_detail); goto error; - } } + ret = true; error: