From patchwork Sat Dec 21 22:39:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4011 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:998b:b0:5e7:b9eb:58e8 with SMTP id d11csp3204962mav; Sat, 21 Dec 2024 14:39:24 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUrUkRckFSegqLt/ZJshoiaATvzvpmYSGV10WQTWHJEf1XKE53KERhrekl41qlwoA8byboRSWGft3E=@openvpn.net X-Google-Smtp-Source: AGHT+IGPjyPbsegkmz2H7GYDTa98NqZDpl7ObBbm1lbA6WO2ogF5LPpyjuaYCX8GYmVHfa+ygf2d X-Received: by 2002:a05:6808:2129:b0:3eb:8d99:9bee with SMTP id 5614622812f47-3ed890a67c3mr4540627b6e.26.1734820764376; Sat, 21 Dec 2024 14:39:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1734820764; cv=none; d=google.com; s=arc-20240605; b=MwMcxfOS2TRO4g5N0K5+SCwbvxLQD/D9ewcCV054RqNjc54//o/kmNofaOfiIIu+Ps jYrwR4/Y/EX70C6FbR+tCh5q908k8ymCyEs6bGmBU+DLvesJhVlA9qU3uoJ081b4JacD 17k1ICB/okLROq3TDV4spimg3VivCbGMY9TizrttXhj/8+ScnM1nxUwg4RMaiTpdAz7D Y7loiJI3QT0RwiDb0aEHl1y9ndEoEVPvd76DiHRaP1kxF5ABdip8m6lnangLyCDXUzPS WDt4iZNoPtGw30oUMswgE+g47RHvIQl5x3ojc/nDweyqc+ZVegnxxtvKiwq7Z6IZ9F+i EzlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=MEyQ87jO4bj/9nE4BwbnErP327bpWtWHMmH8d+Vff+8=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=ecI5s8r9DE46Cd68tuls3LjEMNiFdQ/DOYc3ykpFF2FlVaDmEPP3wkAnHx9DXkeNjy QFXVkCv65ViGMDGMNCDMVez5dK2OY4vYXVVPir4l8B6Zqyqg3thqAL6suM4qtdV3HCbc XyRE35VgzSPQOkBWXmyRqKaSzDSJqiezrMo0jpHJqF4+LBukj54SGAVoC+jJ4pNH+1gY Kh5QWBK+1Tfa+5448/N/vWyCrWMdeIOeCuc/9XV4q2AM0HDzncwR3TBjrqGgt0bS9TF/ m1XKScVxRT6miqokOP6ixCX77aD7EpJScbArFixVGPuSokSIC2Rl4MQDZeQFBbCyg5VH bEtw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=NnYbX7TF; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=g+NL2naf; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3ece26aa885si3721284b6e.273.2024.12.21.14.39.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 Dec 2024 14:39:24 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=NnYbX7TF; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=g+NL2naf; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tP880-00070L-6N; Sat, 21 Dec 2024 22:39:20 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tP87y-00070F-Te for openvpn-devel@lists.sourceforge.net; Sat, 21 Dec 2024 22:39:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pQLuN+saS9ybwIt0o+rPJg5s6Tgd8x/+C/e6wlIGQbU=; b=NnYbX7TF+fwy9WW4yIMYpRpNUJ uf9rsXgVWHay5WOnbEymaCovpGKUcfN5uEVJkiIIuuEfgQT0yZnri1Opv+Lnd253p+rcsb5LkLuh5 ZAVEdv/MRvU6V62MaLu+dTxMP2mWsfnzNYq9lR9wutLscJok5kVaWpg64t9gmn94v2+c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=pQLuN+saS9ybwIt0o+rPJg5s6Tgd8x/+C/e6wlIGQbU=; b=g+NL2nafiVb6RR6sk+Cvz/gOQr dp+7GSLmlF06MNtF7OjWnp6gPlWYLrc8zQqkW5CXLRbhA+rhC7qCrbTURDgYHJVGfjg4zfFm+KmNV 0BMi0++JKxwGzh/E3zCma8eOuwUhqMrm9TOpNKqyLN25jK07Flv1KWl32X+YJoE42pk0=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tP87x-0006Ql-P3 for openvpn-devel@lists.sourceforge.net; Sat, 21 Dec 2024 22:39:18 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 4BLMd64D018831 for ; Sat, 21 Dec 2024 23:39:06 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 4BLMd62L018830 for openvpn-devel@lists.sourceforge.net; Sat, 21 Dec 2024 23:39:06 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sat, 21 Dec 2024 23:39:05 +0100 Message-ID: <20241221223905.18820-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe This allows for only initialising one of the keys. This is needed for epoch keys where key rotation of send/recv key can happen at different time points. Change-Id: If9e029bdac264dcc05b2d256c4d323315904a92b Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-accredit.habeas.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1tP87x-0006Ql-P3 Subject: [Openvpn-devel] [PATCH v8] Split init_key_ctx_bi into send/recv init X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1819091417661080634?= X-GMAIL-MSGID: =?utf-8?q?1819091417661080634?= From: Arne Schwabe This allows for only initialising one of the keys. This is needed for epoch keys where key rotation of send/recv key can happen at different time points. Change-Id: If9e029bdac264dcc05b2d256c4d323315904a92b Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/799 This mail reflects revision 8 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 88a9f24..53f50de 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -947,8 +947,8 @@ } void -init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, - int key_direction, const struct key_type *kt, const char *name) +init_key_bi_ctx_send(struct key_ctx *ctx, const struct key2 *key2, + int key_direction, const struct key_type *kt, const char *name) { char log_prefix[128] = { 0 }; struct key_direction_state kds; @@ -956,13 +956,32 @@ key_direction_state_init(&kds, key_direction); snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name); - init_key_ctx(&ctx->encrypt, &key2->keys[kds.out_key], kt, + init_key_ctx(ctx, &key2->keys[kds.out_key], kt, OPENVPN_OP_ENCRYPT, log_prefix); +} + +void +init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key2 *key2, + int key_direction, const struct key_type *kt, const char *name) +{ + char log_prefix[128] = { 0 }; + struct key_direction_state kds; + + key_direction_state_init(&kds, key_direction); + snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name); - init_key_ctx(&ctx->decrypt, &key2->keys[kds.in_key], kt, + init_key_ctx(ctx, &key2->keys[kds.in_key], kt, OPENVPN_OP_DECRYPT, log_prefix); +} + +void +init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, + int key_direction, const struct key_type *kt, const char *name) +{ + init_key_bi_ctx_send(&ctx->encrypt, key2, key_direction, kt, name); + init_key_bi_ctx_recv(&ctx->decrypt, key2, key_direction, kt, name); ctx->initialized = true; } @@ -980,6 +999,8 @@ hmac_ctx_free(ctx->hmac); ctx->hmac = NULL; } + CLEAR(ctx->implicit_iv); + ctx->plaintext_blocks = 0; } void diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index bb417e1..648b2c8 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -198,7 +198,9 @@ int n; /**< The number of \c key objects stored * in the \c key2.keys array. */ struct key keys[2]; /**< Two unidirectional sets of %key - * material. */ + * material. The first key is the client + * (encrypts) to server (decrypts), the + * second the server to client key. */ }; /** @@ -351,6 +353,16 @@ const struct key_type *kt, int enc, const char *prefix); +void +init_key_bi_ctx_send(struct key_ctx *ctx, const struct key2 *key2, + int key_direction, const struct key_type *kt, + const char *name); + +void +init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key2 *key2, + int key_direction, const struct key_type *kt, + const char *name); + void free_key_ctx(struct key_ctx *ctx); void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,