From patchwork Mon Nov 11 01:59:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "mrbff (Code Review)" X-Patchwork-Id: 3929 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:41ba:b0:5d9:9f4c:3bc7 with SMTP id a26csp2278078mad; Sun, 10 Nov 2024 18:00:15 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVLgBtLd56UZBArjXNBQy4oNn+azLPsy9p4JuKtLCPuN9/hyYWYJjV7VXjX7x+8ul2oaoh7XREcsKo=@openvpn.net X-Google-Smtp-Source: AGHT+IH+ZRHQhXSUzGFIfBdVY+Qma3f4ksgDe7I+0b/M3TEK1wXVwIA7rABJm+A49O2xKibuji15 X-Received: by 2002:a05:6830:390d:b0:718:ffc:92b3 with SMTP id 46e09a7af769-71a1b013b05mr7016212a34.4.1731290414887; Sun, 10 Nov 2024 18:00:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731290414; cv=none; d=google.com; s=arc-20240605; b=AhQVmsaqkJHAYnEGPT6qB5bOQPv1nn3kQr4/9DjTMIYgBb6mTjc3/mgYIVzNqmO1zQ IQEnsZ+HbZXrBkKft40Awo+o2OQxDDfBMfghM/D77/ibH5rqKr2XZTBjecfBpMy6xmvt PRQX8wCVybgc3be+tClbAYLar+XIiF2canhhtwKiWhX+8daZa/dtBoCs3i8FKrMbWH7o J3Ucub1MfznbPJyA5Lko9IgIRr2f+biJYJDljuciLS6sj2WnSR9t50JvQjEwqO8AgsS5 zoTVKapfWDzZQD3VSjPz8MQ0gdcsUvXVf5HbiNL4wLiGUVPFJQcl2LqS//ljFgGJLF/h QESw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=y+krb94VumYt3HwiJJU9lOg+1qax3iuNAIvR2pxeYVQ=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=GjoqRdWrok1gFhyRCNiWJdqtYsHBxW5zAwhs/gxd8TWchMwXvwY9xgBxqTVhvkMyxV IEj+wip971Nt2GMxtnihH7vfMWhHNUXTi67hCa2z9Fd0YhiSLIV5zlxcjijl0avQVzBZ WOe1gCVvvo0LfFvOgm3LI9BE4GADAl+ppVbZPEWG3oGx2kQjvbypAiGxMNfcl2PxNPSU ZJF2w2ErSviZ8+LV0kjGx/HdLKnHLSZp7bA5zSnuF1gL3LcXxg2xADhsXC+jxpIjHg0O 6od9cszZcv0AJat7PltA8J08C04eFyy2rC/qud0XuVpBUG/c9YS32jsBgGo5JPARzv2I WV1Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QEH8M1HB; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MDMwja49; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=ehAx2JC3; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-71a109d894csi5219476a34.317.2024.11.10.18.00.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Nov 2024 18:00:14 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QEH8M1HB; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=MDMwja49; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=ehAx2JC3; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tAJim-0005Ll-ET; Mon, 11 Nov 2024 02:00:04 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tAJil-0005La-AG for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 02:00:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=CAG97Z86rCSRL3t/R9k6MS7TSJVwPTXq/L4tC7hlNYc=; b=QEH8M1HBLCVXmsp5u55IeVs1w6 vKQKXUO8CjeggnV/UhwbvC4RfJiIMiEf4KNE9ILZvXvLyq0wT4ml1fgDPYDIwdypWcKnlyQ+blcCl EQSP6JySLeGKHJmpvtuGU6xwZI4hAZYlULNCnuf3gZeU2MoCiSD4G1rFRW5pZKR6zSH4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=CAG97Z86rCSRL3t/R9k6MS7TSJVwPTXq/L4tC7hlNYc=; b=M DMwja49wQ/tngYDMHEGquclz6RIEOXLMHMPExf/WfCmuNvUcG0N+8eZCj2v35HR4h5O3jAEY975tZ yR78hMKzeohhfp37gzcltSdLv3W8zqkGDDLP7uPGJSyuxwA54nvVX2B9O1Z38FMeTNvvp7NERzOS+ bbs/80wKyMWO3ah4=; Received: from mail-wr1-f46.google.com ([209.85.221.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tAJik-0001Z1-1N for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 02:00:03 +0000 Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-37d41894a32so2260198f8f.1 for ; Sun, 10 Nov 2024 18:00:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1731290390; x=1731895190; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=CAG97Z86rCSRL3t/R9k6MS7TSJVwPTXq/L4tC7hlNYc=; b=ehAx2JC398eA4JcMh/+ca/oDftwhQeOzSnDTXgP4cuCufCClv0sQa4/54sE1u+V15E OIWkpnFhjo+El18fcgLM5Xm3zagd1BDUREvBr6zzerCYXT6q2hmLrpH4LB7sqB2aZeif uSJZwarA7WmSFwNTJPYfVLjQubqKFaRIPBH1Kwnxsc1R7JjAFIGOc3qWVlOrmzDcsqE3 rorwsPpTlobKTq0pLu/kpi9BKZH5C5GAuWLHw5iz4FOGDdhb63tRDb/NvJ9GvpEtzLiJ 0cl1pixOABs6pucKtYGJ5d8l6AJ8yyrKb2y8Ur/GPlNZVOUMijB7Fl7xYVp+ss82ifby 19lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731290390; x=1731895190; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=CAG97Z86rCSRL3t/R9k6MS7TSJVwPTXq/L4tC7hlNYc=; b=WUzp2HuuHaXr5Ia1LGo/l/SuFptxgrCIAC4xNcovBc34ilvDjILUEjSb8QclUELk20 XqV//XmSKsU+rqVtWn7xYvFOSpooZg+/UR33ykTCqMhy2Xe7y1OVXNo3n4y5RzK8Tram 9K1bJaLPb0rE8kFYYeXaNMNZwbUP4C7tL0Be+x4bwIcVUtUd2p0FHipN3aomob0/H601 xXqhVVznLcUp+oGAl2vHMCu92j6Wpy+6JD0xFEvzYKn7/uyh6+D9Qys0qLtyAjDYhh2h pZWgPfXcQr2n5VS7k62+pltmB8AkwUDk2EZwkcfLbg48Zl/kI09ZdukMsoTKfVdkh9l1 yQBA== X-Gm-Message-State: AOJu0YyQ4qtIHMPcnexp01Z5bZTuWV5q7gJi0IS70k/F/61eHz0EeN6I Wx+fmDWsnodjyhIib493wzx2Cqbf1YpKMV3GdlSgVigrbjLeXiBp/xBt5OjFvUGt5Mru2Lem/aw 0 X-Received: by 2002:a05:6000:1885:b0:378:8b56:4665 with SMTP id ffacd0b85a97d-381f1c83b1dmr9362270f8f.24.1731290390223; Sun, 10 Nov 2024 17:59:50 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-381ed97cfefsm11522066f8f.26.2024.11.10.17.59.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 17:59:49 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 11 Nov 2024 01:59:48 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: If9e029bdac264dcc05b2d256c4d323315904a92b X-Gerrit-Change-Number: 799 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: d8185f5d67da6a33087cbf0e77b242e25a8499c4 References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.46 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.7 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.46 listed in wl.mailspike.net] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tAJik-0001Z1-1N Subject: [Openvpn-devel] [S] Change in openvpn[master]: Split init_key_ctx_bi into send/recv init X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1815389578088694671?= X-GMAIL-MSGID: =?utf-8?q?1815389578088694671?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/799?usp=email to review the following change. Change subject: Split init_key_ctx_bi into send/recv init ...................................................................... Split init_key_ctx_bi into send/recv init This allows for only initialising one of the keys. This is needed for epoch keys where key rotation of send/recv key can happen at different time points. Change-Id: If9e029bdac264dcc05b2d256c4d323315904a92b Signed-off-by: Arne Schwabe --- M src/openvpn/crypto.c M src/openvpn/crypto.h 2 files changed, 38 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/99/799/1 diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index a366474..f0b60a3 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -939,8 +939,8 @@ } void -init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, - int key_direction, const struct key_type *kt, const char *name) +init_key_bi_ctx_send(struct key_ctx *ctx, const struct key2 *key2, + int key_direction, const struct key_type *kt, const char *name) { char log_prefix[128] = { 0 }; struct key_direction_state kds; @@ -948,13 +948,32 @@ key_direction_state_init(&kds, key_direction); snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name); - init_key_ctx(&ctx->encrypt, &key2->keys[kds.out_key], kt, + init_key_ctx(ctx, &key2->keys[kds.out_key], kt, OPENVPN_OP_ENCRYPT, log_prefix); +} + +void +init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key2 *key2, + int key_direction, const struct key_type *kt, const char *name) +{ + char log_prefix[128] = { 0 }; + struct key_direction_state kds; + + key_direction_state_init(&kds, key_direction); + snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name); - init_key_ctx(&ctx->decrypt, &key2->keys[kds.in_key], kt, + init_key_ctx(ctx, &key2->keys[kds.in_key], kt, OPENVPN_OP_DECRYPT, log_prefix); +} + +void +init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, + int key_direction, const struct key_type *kt, const char *name) +{ + init_key_bi_ctx_send(&ctx->encrypt, key2, key_direction, kt, name); + init_key_bi_ctx_recv(&ctx->decrypt, key2, key_direction, kt, name); ctx->initialized = true; } @@ -972,6 +991,8 @@ hmac_ctx_free(ctx->hmac); ctx->hmac = NULL; } + CLEAR(ctx->implicit_iv); + ctx->plaintext_blocks = 0; } void diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 0ae86f4..3331672 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -189,7 +189,9 @@ int n; /**< The number of \c key objects stored * in the \c key2.keys array. */ struct key keys[2]; /**< Two unidirectional sets of %key - * material. */ + * material. The first key is the client + * (encrypts) to server (decrypts), the + * second the server to client key. */ }; /** @@ -342,6 +344,16 @@ const struct key_type *kt, int enc, const char *prefix); +void +init_key_bi_ctx_send(struct key_ctx *ctx, const struct key2 *key2, + int key_direction, const struct key_type *kt, + const char *name); + +void +init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key2 *key2, + int key_direction, const struct key_type *kt, + const char *name); + void free_key_ctx(struct key_ctx *ctx); void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,