From patchwork Tue Jul 7 02:16:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1209 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id eLHzFMVnBF93TgAAIUCqbw for ; Tue, 07 Jul 2020 08:17:09 -0400 Received: from proxy13.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id EK+hEsVnBF/iOwAAvGGmqA ; Tue, 07 Jul 2020 08:17:09 -0400 Received: from smtp23.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3b.rsapps.net with LMTP id UB6JDcVnBF8vcQAAvUvv+w ; Tue, 07 Jul 2020 08:17:09 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: c6dbd3dc-c04b-11ea-b1fc-525400aa5716-1-1 Received: from [216.105.38.7] ([216.105.38.7:39460] helo=lists.sourceforge.net) by smtp23.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 01/90-25416-4C7640F5; Tue, 07 Jul 2020 08:17:08 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jsmWQ-0001Z3-Ge; Tue, 07 Jul 2020 12:16:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jsmWP-0001Yx-JX for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 12:16:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=NsBdg88SQeJv+7RO2bIMU/bWC0VCsWWon9pgxSjDzME=; b=BBez1vd5nXTpn0rAdwjN6rLfn7 UVxJiFIvqqfxxbsl/cuvhnU6tlqN0gAqQHi69A/DWOe/qX1o8MYO1ptqsXHNdwi5iXeimG7x4gNte DSUNrKddoerVJyv0LqmNxPQ50K7Hd0pfZL4p513HzyjGbpuSxBlvKC5XlX/Dx76GVTUw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NsBdg88SQeJv+7RO2bIMU/bWC0VCsWWon9pgxSjDzME=; b=C06pomaM+WfFAPP5DIv8VyVYWE IaqAl1AEi70HN4ftBf2PxxPM5/GCVQpwrIXnx0WZOkqgsgji+oe1HzlT069u6uvK0s46ynNs7gLQD pm+pzULrS/wCKjTJ+f/mkfO8j7ItcpEOkk8ecvnLHvuXnYlaRCsJnOep24XpgI9NF+B8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jsmWN-00DAjE-9Q for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 12:16:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jsmWF-000O1s-U9 for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 14:16:15 +0200 Received: (nullmailer pid 15781 invoked by uid 10006); Tue, 07 Jul 2020 12:16:15 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Jul 2020 14:16:11 +0200 Message-Id: <20200707121615.15736-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jsmWN-00DAjE-9Q Subject: [Openvpn-devel] [PATCH] Add file to ignore reformatting changes X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows git blame to ignore reformatting changes and instead shows the previous commit that changed the line. To avoid manually building the list of commits this commit adds a file with a list of reformatting commits. I might have missed a few but this should be a good start. To use the file use: git blame --ignore-revs-file=.git-blame-ignore-revs file or to automatically always use the file git config blame.ignoreRevsFile .git-blame-ignore-revs Naming the file .git-blame-ignore-revs is a convention. Some more details in this random blog post: https://www.moxio.com/blog/43/ignoring-bulk-change-commits-with-git-blame Signed-off-by: Arne Schwabe --- .git-blame-ignore-revs | 29 +++++++++++++++++++ .../managent-demo/management-demo-server.py | 0 contrib/ovpnkeys.py | 0 3 files changed, 29 insertions(+) create mode 100644 .git-blame-ignore-revs create mode 100644 contrib/managent-demo/management-demo-server.py create mode 100644 contrib/ovpnkeys.py diff --git a/contrib/managent-demo/management-demo-server.py b/contrib/managent-demo/management-demo-server.py new file mode 100644 index 00000000..e69de29b diff --git a/contrib/ovpnkeys.py b/contrib/ovpnkeys.py new file mode 100644 index 00000000..e69de29b diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs new file mode 100644 index 00000000..3cc811cf --- /dev/null +++ b/.git-blame-ignore-revs @@ -0,0 +1,29 @@ +# Uncrustify the tests/unit_tests/ part of our tree. +da1574ef7826d73f01e120cbd1ba40ce39a305b7 + +# Another round of uncrustify code cleanup. +9cf7b4925a54d93fbea1cadcf3dc0e11f3ce358f + +# networking_sitnl.c: uncrustify file +2c45d268ca65c522fbabb7c4dab5e721296b4623 + +# Uncrustify tapctl and openvpnmsica +6280d3d5536174934ee22d3840457d61896e0e3a +# tun.c: uncrustify +baef44fc8769bbd99f4d699ce9f63180c29a5455 + +# networking_sitnl.c: uncrustify file +2c45d268ca65c522fbabb7c4dab5e721296b4623 + +# uncrustify openvpn sources +f57431cdc88f22fa4d7962946f0d3187fe058539 + +# More broadly enforce Allman style and braces-around-conditionals +4cd4899e8e80efae03c584a760fd107251735723 + +# Merge 'reformatting' branch into master +1f004b2f06e987d73e48f7fd7b96b0b248274f58 + +# The Great Reformatting - first phase +81d882d5302b8b647202a6893b57dfdc61fd6df2 + From patchwork Tue Jul 7 02:16:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1213 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.55]) by backend30.mail.ord1d.rsapps.net with LMTP id WBS1JNBnBF+OIgAAIUCqbw for ; Tue, 07 Jul 2020 08:17:20 -0400 Received: from proxy19.mail.iad3a.rsapps.net ([172.27.255.55]) by director12.mail.ord1d.rsapps.net with LMTP id kERyItBnBF/BJAAAIasKDg ; Tue, 07 Jul 2020 08:17:20 -0400 Received: from smtp51.gate.iad3a ([172.27.255.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3a.rsapps.net with LMTP id oOTqHNBnBF8jFAAAXy6Yeg ; Tue, 07 Jul 2020 08:17:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp51.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: cd169fd4-c04b-11ea-902d-525400aaff7b-1-1 Received: from [216.105.38.7] ([216.105.38.7:57674] helo=lists.sourceforge.net) by smtp51.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4D/42-05432-EC7640F5; Tue, 07 Jul 2020 08:17:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jsmWX-0005fX-2j; Tue, 07 Jul 2020 12:16:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jsmWV-0005fK-SX for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 12:16:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Gbx3vKIJE0W6JFmpLxdZMVQoTUbskAus6IkodUtPCOo=; b=nGJxZG8WTMmuJ11y1+gXlynx4E nw1kDT9iadCLfWujXRmX8hQ+RkyrV9QpWzz2va8Yyqb5hoCvEWehNJxSh55dj/Yytgy6CTG7THwKu 0aUs6QFgeO+47ZRlvR0MEkEdcFD7OsigrcV3T8hmiBKpTTYYPuftKeec059q1fNhGAmw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Gbx3vKIJE0W6JFmpLxdZMVQoTUbskAus6IkodUtPCOo=; b=V0a8d94puM4TfTHQ5DO9Te7WIR xSOJjgT+xfNqPVMqCi6H2yOQaS6zvu/9eBtMraM3aRVp5ADeWaPA48iGaVsetEqMEZSRfIWbFp9Dw cQo4rbmFzRXUp60NFa5kFmLvDXJMTMi++CS/DjRS0Ktigccc7PcQ0p5HT5euKUjoaRbc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jsmWU-00G8Ch-Nq for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 12:16:31 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jsmWG-000O24-5h for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 14:16:16 +0200 Received: (nullmailer pid 15791 invoked by uid 10006); Tue, 07 Jul 2020 12:16:16 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Jul 2020 14:16:14 +0200 Message-Id: <20200707121615.15736-4-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200707121615.15736-1-arne@rfc2549.org> References: <20200707121615.15736-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jsmWU-00G8Ch-Nq Subject: [Openvpn-devel] [PATCH 2/3] Cleanup: Remove unused code of old poor man's NCP. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Ever since the NCPv2 the ncp_get_best_cipher uses the global options->ncp_enabled option and ignore the tls_session->ncp_enabled option. The server side's poor man's NCP is implemented as seeing the list of supported ciphers from the peer as just one cipher so this special handling for poor man's NCP of the older NCP here is not needed anymore. Theoretically we can now get rid of tls_session->ncp_enabled but doing so requires more refactoring since options is not available in the methods that still use it. And when we remove ncp-disable the variable will be removed anyway. Also document the remaining usage of tls_poor_mans_ncp better. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 2 ++ src/openvpn/ssl.c | 15 +-------------- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 91b919d5..e9c01629 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2376,6 +2376,8 @@ do_deferred_options(struct context *c, const unsigned int found) } else if (c->options.ncp_enabled) { + /* If the server did not push a --cipher, we will switch to the + * remote cipher if it is in our ncp-ciphers list */ tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername); } struct frame *frame_fragment = NULL; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 9df7552d..71565dd3 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2463,8 +2463,7 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) * generation is postponed until after the pull/push, so we can process pushed * cipher directives. */ - if (session->opt->server && !(session->opt->ncp_enabled - && session->opt->mode == MODE_SERVER && ks->key_id <= 0)) + if (session->opt->server && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0)) { if (ks->authenticated != KS_AUTH_FALSE) { @@ -2616,18 +2615,6 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio multi->remote_ciphername = options_string_extract_option(options, "cipher", NULL); - if (!tls_peer_supports_ncp(multi->peer_info)) - { - /* Peer does not support NCP, but leave NCP enabled if the local and - * remote cipher do not match to attempt 'poor-man's NCP'. - */ - if (multi->remote_ciphername == NULL - || 0 == strcmp(multi->remote_ciphername, multi->opt.config_ciphername)) - { - session->opt->ncp_enabled = false; - } - } - if (tls_session_user_pass_enabled(session)) { /* Perform username/password authentication */ From patchwork Tue Jul 7 02:16:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1211 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.8]) by backend30.mail.ord1d.rsapps.net with LMTP id UL5EG8ZnBF93TgAAIUCqbw for ; Tue, 07 Jul 2020 08:17:10 -0400 Received: from proxy15.mail.iad3a.rsapps.net ([172.27.255.8]) by director7.mail.ord1d.rsapps.net with LMTP id IPihGMZnBF/5CAAAovjBpQ ; Tue, 07 Jul 2020 08:17:10 -0400 Received: from smtp50.gate.iad3a ([172.27.255.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.iad3a.rsapps.net with LMTP id 8HDUEMZnBF8iZQAAHi9b9g ; Tue, 07 Jul 2020 08:17:10 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp50.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: c7616c7c-c04b-11ea-9aee-525400c2fb51-1-1 Received: from [216.105.38.7] ([216.105.38.7:42128] helo=lists.sourceforge.net) by smtp50.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0B/2E-09626-5C7640F5; Tue, 07 Jul 2020 08:17:09 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jsmWW-0008Du-6m; Tue, 07 Jul 2020 12:16:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jsmWU-0008Dm-Fj for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 12:16:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=weTItSzSzWVjpBwdQncEW1rlrKrde08ln2gZhfibN9U=; b=H599EpUKti9STc+yeXU9q9BYXV CaO0/WjEBQrizL5Y8jd6vWDr1UY7u9QkPJk8jN+16i9AheRLdkci0vPj5t4p5n/1QpELISA9PEeJD 0wY3HEcJePW/jNAtgD+KeiwnIWfBUa16KglD/RPKdFNvBsf1VcBLvw+EEZfKXZIivvNk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=weTItSzSzWVjpBwdQncEW1rlrKrde08ln2gZhfibN9U=; b=dH5sdzP2yatMFYW9hNNxagT23w iHBWdd9tkYdVtwkLagI7IXickCQvyAZnyW4sT6NZ0nhzlqpFkzBl1w9xIQiDVCR4l//zGfo/eArTx GgLyb8scD6SDT1dH35g/fWSbNjBSrWK96MX0Fb0Ma4M93pdepuvw1m0+ZQhhlWPC+nyA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jsmWS-00G8CL-Tz for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 12:16:30 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jsmWG-000O28-7U for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 14:16:16 +0200 Received: (nullmailer pid 15795 invoked by uid 10006); Tue, 07 Jul 2020 12:16:16 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Jul 2020 14:16:15 +0200 Message-Id: <20200707121615.15736-5-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200707121615.15736-1-arne@rfc2549.org> References: <20200707121615.15736-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jsmWS-00G8CL-Tz Subject: [Openvpn-devel] [PATCH 3/3] Make key_state->authenticated more state machine like X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This order the states from unauthenticated to authenticated and also changes the comparison for KS_AUTH_FALSE from != to > Also remove a now obsolete comment and two obsolete ifdefs. While keeping the ifdef in ssl_verify would save a few bytes of code, this is too minor to justify keeping the ifdef Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 6 +++--- src/openvpn/ssl_common.h | 7 ++----- src/openvpn/ssl_verify.c | 15 ++++----------- 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 71565dd3..c73b51c3 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2465,7 +2465,7 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) */ if (session->opt->server && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0)) { - if (ks->authenticated != KS_AUTH_FALSE) + if (ks->authenticated > KS_AUTH_FALSE) { if (!tls_session_generate_data_channel_keys(session)) { @@ -2646,7 +2646,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio secure_memzero(up, sizeof(*up)); /* Perform final authentication checks */ - if (ks->authenticated != KS_AUTH_FALSE) + if (ks->authenticated > KS_AUTH_FALSE) { verify_final_auth_checks(multi, session); } @@ -2671,7 +2671,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final * veto opportunity over authentication decision. */ - if ((ks->authenticated != KS_AUTH_FALSE) + if ((ks->authenticated > KS_AUTH_FALSE) && plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL)) { key_state_export_keying_material(&ks->ks_ssl, session); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index fdf589b5..7d841ffb 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -129,8 +129,8 @@ struct key_source2 { enum ks_auth_state { KS_AUTH_FALSE, - KS_AUTH_TRUE, - KS_AUTH_DEFERRED + KS_AUTH_DEFERRED, + KS_AUTH_TRUE }; /** @@ -194,8 +194,6 @@ struct key_state enum ks_auth_state authenticated; time_t auth_deferred_expire; -#ifdef ENABLE_DEF_AUTH - /* If auth_deferred is true, authentication is being deferred */ #ifdef MANAGEMENT_DEF_AUTH unsigned int mda_key_id; unsigned int mda_status; @@ -205,7 +203,6 @@ struct key_state time_t acf_last_mod; char *auth_control_file; #endif -#endif }; /** Control channel wrapping (--tls-auth/--tls-crypt) context */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index e28f1f3a..6996d430 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -950,7 +950,7 @@ tls_authentication_status(struct tls_multi *multi, const int latency) if (DECRYPT_KEY_ENABLED(multi, ks)) { active = true; - if (ks->authenticated != KS_AUTH_FALSE) + if (ks->authenticated > KS_AUTH_FALSE) { #ifdef ENABLE_DEF_AUTH unsigned int s1 = ACF_DISABLED; @@ -1414,17 +1414,10 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, */ send_push_reply_auth_token(multi); } -#ifdef ENABLE_DEF_AUTH msg(D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s", (ks->authenticated == KS_AUTH_DEFERRED) ? "deferred" : "succeeded", up->username, (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); -#else - msg(D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s", - "succeeded", - up->username, - (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); -#endif } else { @@ -1445,7 +1438,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) } /* Don't allow the CN to change once it's been locked */ - if (ks->authenticated != KS_AUTH_FALSE && multi->locked_cn) + if (ks->authenticated > KS_AUTH_FALSE && multi->locked_cn) { const char *cn = session->common_name; if (cn && strcmp(cn, multi->locked_cn)) @@ -1461,7 +1454,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) } /* Don't allow the cert hashes to change once they have been locked */ - if (ks->authenticated != KS_AUTH_FALSE && multi->locked_cert_hash_set) + if (ks->authenticated > KS_AUTH_FALSE && multi->locked_cert_hash_set) { const struct cert_hash_set *chs = session->cert_hash_set; if (chs && !cert_hash_compare(chs, multi->locked_cert_hash_set)) @@ -1475,7 +1468,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) } /* verify --client-config-dir based authentication */ - if (ks->authenticated != KS_AUTH_FALSE && session->opt->client_config_dir_exclusive) + if (ks->authenticated > KS_AUTH_FALSE && session->opt->client_config_dir_exclusive) { struct gc_arena gc = gc_new();