From patchwork Sun Sep 18 12:06:18 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2774 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SN6/LaWWJ2PmHwAAIUCqbw (envelope-from ) for ; Sun, 18 Sep 2022 18:07:33 -0400 Received: from proxy15.mail.iad3b.rsapps.net ([172.31.255.6]) by director12.mail.ord1d.rsapps.net with LMTP id aDhBLaWWJ2MkVQAAIasKDg (envelope-from ) for ; Sun, 18 Sep 2022 18:07:33 -0400 Received: from smtp28.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.iad3b.rsapps.net with LMTPS id uMfHJqWWJ2OQdQAAhyf7VQ (envelope-from ) for ; Sun, 18 Sep 2022 18:07:33 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp28.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=unstable.cc; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 4b53c112-379e-11ed-96ce-525400c8cd63-1-1 Received: from [216.105.38.7] ([216.105.38.7:51912] helo=lists.sourceforge.net) by smtp28.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 50/4D-19282-5A697236; Sun, 18 Sep 2022 18:07:33 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oa2Qz-000335-Uc; Sun, 18 Sep 2022 22:06:41 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oa2Qx-00032x-Du for openvpn-devel@lists.sourceforge.net; Sun, 18 Sep 2022 22:06:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=QW7ItcFNlaHwB+I0hFU6ysPRrbDmgW2vgzo0/fbqwEY=; b=BAIjFAFRyTlfp+Hv5NaM2ziGZp HbP7rdda5XXLbhBpyqjNMA7qXUQR+C73BuJYAsiLEg1k/TGglgqW9pgf7r8gSSpxUeQmMN8+94eym Qwr3QKIFL7fsxHgBF2Zkp8NSjxntxfHALq/5HJHDLoIJLtiSXwAlfWPoh3bUTwhGr8DI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=QW7ItcFNlaHwB+I0hFU6ysPRrbDmgW2vgzo0/fbqwEY=; b=WXccgwyEzslXPkHjex+mUKaoWP 7N5pN9u0IwzQDBFawAmT8QMqOJPREpecvY/3epmPjXO8ibFS5VEV7O/7Y6MdGxrVh+8y1cJkU327w MRq8GeKOapc2BSyfgaZeYrSCEE4i3yp4p+U0spC9IfOOxMbrN+soPRfbmOTl3u0jw/ck=; Received: from wilbur.contactoffice.com ([212.3.242.68]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oa2Qv-00Cbxv-6h for openvpn-devel@lists.sourceforge.net; Sun, 18 Sep 2022 22:06:39 +0000 Received: from smtpauth1.co-bxl (smtpauth1.co-bxl [10.2.0.15]) by wilbur.contactoffice.com (Postfix) with ESMTP id 10C9AB8B; Mon, 19 Sep 2022 00:06:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1663538791; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:Cc:Date:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding; l=9838; bh=QW7ItcFNlaHwB+I0hFU6ysPRrbDmgW2vgzo0/fbqwEY=; b=BqKcnojYWFIUM8KzL5fmPoXJ4QwIG3bXllGqY97PPppKDM4f3UgoixPxpOF6dFxB ndEqLJuDxvrnjDSxOrci7lvg49txJ71ip4HZwArhPIKh/IO5rRBboYRv0QhPkF0dE5s C0QqwlLo5GG2SIFWgIUBCz33nSiE7ajTyNMiHSauccpTGvbn4dyNnFYqDDkzwlYcSfW PbDumcm83gq6+GFUN+jw0oH5hz36qdVr6XDzNiEAEv4DnA3XOihZFWMXyOeTwyDEBCD PaFfYjslAt//TEQt7ujtg8wowCu/D3tXzxEkleskZQMh++MEp4HlmIDfLWiE3kOnkYg z7ma6RI61g== Received: by smtp.mailfence.com with ESMTPSA ; Mon, 19 Sep 2022 00:06:26 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 19 Sep 2022 00:06:18 +0200 Message-Id: <20220918220618.31112-1-a@unstable.cc> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220818084825.187755-1-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Status: No, hits=-2.9 required=4.7 symbols=ALL_TRUSTED, BAYES_00 device=10.2.0.1 X-ContactOffice-Account: com:375058688 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This patch is supposed to implement no function change. The only change in behaviour that can be observed is the IV_/UV_ variables being printed in different order compared to before applying this pat [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.3.242.68 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1oa2Qv-00Cbxv-6h Subject: [Openvpn-devel] [PATCH v4] push-peer-info: rearrange function generating peer info X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This patch is supposed to implement no function change. The only change in behaviour that can be observed is the IV_/UV_ variables being printed in different order compared to before applying this patch. However, order does not matter, so we don't need to retain it. What this change really does is rearranging the push_peer_info() function so that it becomes much more clear which variable is printed depending on the peer-info detail level. The original code was mixed up, and figuring the above out required reading this function multiple times. This rearrangement puts everything in a switch/case block with sorted peer-info details levels appearing one after the other. While at it, the for loop extracting the wanted env variables has been restructured a bit to avoid uber long conditions and extreme indentation. Signed-off-by: Antonio Quartulli --- NOTE: I tried to move this function to ssh_util.c to make it possible to unit-test it. However, it requires a bunch of headers which make the whole dependency chain explode..so I gave up. Chanegs from v3: * rebased on top of master (conflicted with "Implement exit notification via control channel") Changes from v2: * create helper function to push variable from env-set Changes from v1: * add spaces before case/default labels in switch block --- src/openvpn/ssl.c | 225 ++++++++++++++++++++++++++-------------------- 1 file changed, 129 insertions(+), 96 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index d3f7a020..32579150 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1910,6 +1910,44 @@ read_string_alloc(struct buffer *buf) return str; } +/** + * Searches the environment variables set for variables starting with the + * specified pattern. If found, the variable string (i.e. VAR=VALUE) is + * copied to the out buffer provided as argument + * + * @param out the output buffer where variables should be written to + * @param es the environment variables set to search + * @param pattern the pattern used to match variable names + */ +static void +push_peer_info_env_var(struct buffer *out, const struct env_set *es, const char *pattern) +{ + for (const struct env_item *e = es->list; e; e = e->next) + { + /* ensure we have a string */ + if (!e->string) + { + continue; + } + + /* ensure string will fit output buffer */ + if (!buf_safe(out, strlen(e->string) + 1)) + { + continue; + } + + /* don't accept any var except for those starting with the specified + * pattern + */ + if (strncmp(e->string, pattern, strlen(pattern)) != 0) + { + continue; + } + + buf_printf(out, "%s\n", e->string); + } +} + /** * Prepares the IV_ and UV_ variables that are part of the * exchange to signal the peer's capabilities. The amount @@ -1932,137 +1970,132 @@ push_peer_info(struct buffer *buf, struct tls_session *session) bool ret = false; struct buffer out = alloc_buf_gc(512 * 3, &gc); - if (session->opt->push_peer_info_detail > 1) + switch (session->opt->push_peer_info_detail) { - /* push version */ - buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION); + case 3: + { + /* push mac addr */ + struct route_gateway_info rgi; + get_default_gateway(&rgi, session->opt->net_ctx); + if (rgi.flags & RGI_HWADDR_DEFINED) + { + buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc)); + } + buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() ); +#if defined(_WIN32) + buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc, false)); +#endif + + /* push env vars that begin with UV_, IV_PLAT_VER= */ + push_peer_info_env_var(&out, session->opt->es, "UV_"); + push_peer_info_env_var(&out, session->opt->es, "IV_PLAT_VER="); + } - /* push platform */ + /* fall through */ + case 2: + { + /* push version */ + buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION); + + /* push platform */ #if defined(TARGET_LINUX) - buf_printf(&out, "IV_PLAT=linux\n"); + buf_printf(&out, "IV_PLAT=linux\n"); #elif defined(TARGET_SOLARIS) - buf_printf(&out, "IV_PLAT=solaris\n"); + buf_printf(&out, "IV_PLAT=solaris\n"); #elif defined(TARGET_OPENBSD) - buf_printf(&out, "IV_PLAT=openbsd\n"); + buf_printf(&out, "IV_PLAT=openbsd\n"); #elif defined(TARGET_DARWIN) - buf_printf(&out, "IV_PLAT=mac\n"); + buf_printf(&out, "IV_PLAT=mac\n"); #elif defined(TARGET_NETBSD) - buf_printf(&out, "IV_PLAT=netbsd\n"); + buf_printf(&out, "IV_PLAT=netbsd\n"); #elif defined(TARGET_FREEBSD) - buf_printf(&out, "IV_PLAT=freebsd\n"); + buf_printf(&out, "IV_PLAT=freebsd\n"); #elif defined(TARGET_ANDROID) - buf_printf(&out, "IV_PLAT=android\n"); + buf_printf(&out, "IV_PLAT=android\n"); #elif defined(_WIN32) - buf_printf(&out, "IV_PLAT=win\n"); + buf_printf(&out, "IV_PLAT=win\n"); #endif - /* Announce that we do not require strict sequence numbers with - * TCP. (TCP non-linear) */ - buf_printf(&out, "IV_TCPNL=1\n"); - } - /* These are the IV variable that are sent to peers in p2p mode */ - if (session->opt->push_peer_info_detail > 0) - { - /* support for P_DATA_V2 */ - int iv_proto = IV_PROTO_DATA_V2; - - /* support for the --dns option */ - iv_proto |= IV_PROTO_DNS_OPTION; + /* Announce that we do not require strict sequence numbers with + * TCP. (TCP non-linear) */ + buf_printf(&out, "IV_TCPNL=1\n"); - /* support for exit notify via control channel */ - iv_proto |= IV_PROTO_CC_EXIT_NOTIFY; + /* push compression status */ +#ifdef USE_COMP + comp_generate_peer_info_string(&session->opt->comp_options, &out); +#endif - /* support for receiving push_reply before sending - * push request, also signal that the client wants - * to get push-reply messages without without requiring a round - * trip for a push request message*/ - if (session->opt->pull) - { - iv_proto |= IV_PROTO_REQUEST_PUSH; - iv_proto |= IV_PROTO_AUTH_PENDING_KW; + /* push env vars that begin with IV_GUI_VER= and IV_SSO= */ + push_peer_info_env_var(&out, session->opt->es, "IV_GUI_VER="); + push_peer_info_env_var(&out, session->opt->es, "IV_SSO="); } - /* support for Negotiable Crypto Parameters */ - if (session->opt->mode == MODE_SERVER || session->opt->pull) + /* fall through */ + case 1: { - if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers) - && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers)) - { + /* support for P_DATA_V2 */ + int iv_proto = IV_PROTO_DATA_V2; + + /* support for the --dns option */ + iv_proto |= IV_PROTO_DNS_OPTION; - buf_printf(&out, "IV_NCP=2\n"); + /* support for exit notify via control channel */ + iv_proto |= IV_PROTO_CC_EXIT_NOTIFY; + + /* support for receiving push_reply before sending + * push request, also signal that the client wants + * to get push-reply messages without without requiring a round + * trip for a push request message*/ + if (session->opt->pull) + { + iv_proto |= IV_PROTO_REQUEST_PUSH; + iv_proto |= IV_PROTO_AUTH_PENDING_KW; } - } - else - { - /* We are not using pull or p2mp server, instead do P2P NCP */ - iv_proto |= IV_PROTO_NCP_P2P; - } - buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers); + /* support for Negotiable Crypto Parameters */ + if (session->opt->mode == MODE_SERVER || session->opt->pull) + { + if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers) + && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers)) + { + + buf_printf(&out, "IV_NCP=2\n"); + } + } + else + { + /* We are not using pull or p2mp server, instead do P2P NCP */ + iv_proto |= IV_PROTO_NCP_P2P; + } #ifdef HAVE_EXPORT_KEYING_MATERIAL - iv_proto |= IV_PROTO_TLS_KEY_EXPORT; + iv_proto |= IV_PROTO_TLS_KEY_EXPORT; #endif - buf_printf(&out, "IV_PROTO=%d\n", iv_proto); + buf_printf(&out, "IV_PROTO=%d\n", iv_proto); - if (session->opt->push_peer_info_detail > 1) - { - /* push compression status */ -#ifdef USE_COMP - comp_generate_peer_info_string(&session->opt->comp_options, &out); -#endif - } + buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers); - if (session->opt->push_peer_info_detail > 2) - { - /* push mac addr */ - struct route_gateway_info rgi; - get_default_gateway(&rgi, session->opt->net_ctx); - if (rgi.flags & RGI_HWADDR_DEFINED) + if (!write_string(buf, BSTR(&out), -1)) { - buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc)); + goto error; } - buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() ); -#if defined(_WIN32) - buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc, false)); -#endif + break; } - if (session->opt->push_peer_info_detail > 1) - { - struct env_set *es = session->opt->es; - /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */ - for (struct env_item *e = es->list; e != NULL; e = e->next) + case 0: + if (!write_empty_string(buf)) { - if (e->string) - { - if ((((strncmp(e->string, "UV_", 3) == 0 - || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0) - && session->opt->push_peer_info_detail > 2) - || (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0) - || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0) - ) - && buf_safe(&out, strlen(e->string) + 1)) - { - buf_printf(&out, "%s\n", e->string); - } - } + goto error; } - } + break; - if (!write_string(buf, BSTR(&out), -1)) - { - goto error; - } - } - else - { - if (!write_empty_string(buf)) /* no peer info */ - { + /* invalid value configured */ + default: + msg(M_WARN, "Invalid peer-info-detail level %d", session->opt->push_peer_info_detail); goto error; - } } + ret = true; error: