Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1749?usp=email
to review the following change.
Change subject: oob: Extract init_tls_wrap_ctx() control-channel wrap helper
......................................................................
oob: Extract init_tls_wrap_ctx() control-channel wrap helper
Factor the tls-auth/tls-crypt wrapping-context setup out of
do_init_crypto_tls() into a reusable init_tls_wrap_ctx() helper, and
expose it together with do_init_tls_wrap_key() in init.h. No behavior
change.
This lets the client --server-probe path build the same control-channel
wrapping context before a connection is established, so the probe can be
wrapped with tls-auth/tls-crypt like any other control packet.
Change-Id: I7d8546da9ef06c2226ea77e461f9550d24894c61
Signed-off-by: Lev Stipakov <[email protected]>
---
M src/openvpn/init.c
M src/openvpn/init.h
2 files changed, 83 insertions(+), 37 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/49/1749/1
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 274c86a..e0d6a14 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3077,13 +3077,13 @@
/*
* Initialize the tls-auth/crypt key context
*/
-static void
-do_init_tls_wrap_key(struct context *c)
+void
+do_init_tls_wrap_key(struct context *c, const struct connection_entry *ce)
{
const struct options *options = &c->options;
/* TLS handshake authentication (--tls-auth) */
- if (options->ce.tls_auth_file)
+ if (ce->tls_auth_file)
{
/* Initialize key_type for tls-auth with auth only */
CLEAR(c->c1.ks.tls_auth_key_type);
@@ -3098,33 +3098,31 @@
}
crypto_read_openvpn_key(&c->c1.ks.tls_auth_key_type,
&c->c1.ks.tls_wrap_key,
- options->ce.tls_auth_file,
options->ce.tls_auth_file_inline,
- options->ce.key_direction, "Control Channel
Authentication",
- "tls-auth", &c->c1.ks.original_wrap_keydata);
+ ce->tls_auth_file, ce->tls_auth_file_inline,
ce->key_direction,
+ "Control Channel Authentication", "tls-auth",
+ &c->c1.ks.original_wrap_keydata);
}
/* TLS handshake encryption+authentication (--tls-crypt) */
- if (options->ce.tls_crypt_file)
+ if (ce->tls_crypt_file)
{
tls_crypt_init_key(&c->c1.ks.tls_wrap_key,
&c->c1.ks.original_wrap_keydata,
- options->ce.tls_crypt_file,
options->ce.tls_crypt_file_inline,
- options->tls_server);
+ ce->tls_crypt_file, ce->tls_crypt_file_inline,
options->tls_server);
}
/* tls-crypt with client-specific keys (--tls-crypt-v2) */
- if (options->ce.tls_crypt_v2_file)
+ if (ce->tls_crypt_v2_file)
{
if (options->tls_server)
{
tls_crypt_v2_init_server_key(&c->c1.ks.tls_crypt_v2_server_key,
true,
- options->ce.tls_crypt_v2_file,
- options->ce.tls_crypt_v2_file_inline);
+ ce->tls_crypt_v2_file,
ce->tls_crypt_v2_file_inline);
}
else
{
tls_crypt_v2_init_client_key(&c->c1.ks.tls_wrap_key,
&c->c1.ks.original_wrap_keydata,
- &c->c1.ks.tls_crypt_v2_wkc,
options->ce.tls_crypt_v2_file,
- options->ce.tls_crypt_v2_file_inline);
+ &c->c1.ks.tls_crypt_v2_wkc,
ce->tls_crypt_v2_file,
+ ce->tls_crypt_v2_file_inline);
}
/* We have to ensure that the loaded tls-crypt key is small enough
* to fit into the initial hard reset v3 packet */
@@ -3133,19 +3131,50 @@
/* empty ACK/message id, tls-crypt, Opcode, UDP, ipv6 */
int required_size = 5 + wkc_len + tls_crypt_buf_overhead() + 1 + 8 +
40;
- if (required_size > c->options.ce.tls_mtu)
+ if (required_size > ce->tls_mtu)
{
msg(M_WARN,
"ERROR: tls-crypt-v2 client key too large to work with "
"requested --max-packet-size %d, requires at least "
"--max-packet-size %d. Packets will ignore requested "
"maximum packet size",
- c->options.ce.tls_mtu, required_size);
+ ce->tls_mtu, required_size);
}
}
}
/*
+ * Configure a control-channel wrapping context (tls-auth/tls-crypt) from a
+ * connection entry and the already-loaded tls-wrap key material. Leaves the
+ * context in TLS_WRAP_NONE if neither tls-auth nor tls-crypt is configured.
+ * tls-crypt-v2 specifics (WKc, server key) are handled by the caller.
+ */
+void
+init_tls_wrap_ctx(struct tls_wrap_ctx *tls_wrap, const struct connection_entry
*ce, bool tls_client,
+ const struct key_schedule *ks, struct packet_id_persist
*pid_persist)
+{
+ /* TLS handshake authentication (--tls-auth) */
+ if (ce->tls_auth_file)
+ {
+ tls_wrap->mode = TLS_WRAP_AUTH;
+ }
+
+ /* TLS handshake encryption (--tls-crypt) */
+ if (ce->tls_crypt_file || (ce->tls_crypt_v2_file && tls_client))
+ {
+ tls_wrap->mode = TLS_WRAP_CRYPT;
+ }
+
+ if (tls_wrap->mode == TLS_WRAP_AUTH || tls_wrap->mode == TLS_WRAP_CRYPT)
+ {
+ tls_wrap->opt.key_ctx_bi = ks->tls_wrap_key;
+ tls_wrap->opt.pid_persist = pid_persist;
+ tls_wrap->opt.flags |= CO_PACKET_ID_LONG_FORM;
+ tls_wrap->original_wrap_keydata = ks->original_wrap_keydata;
+ }
+}
+
+/*
* Initialize the persistent component of OpenVPN's TLS mode,
* which is preserved across SIGUSR1 resets.
*/
@@ -3216,7 +3245,7 @@
init_key_type(&c->c1.ks.key_type, ciphername, options->authname, true,
warn);
/* initialize tls-auth/crypt/crypt-v2 key */
- do_init_tls_wrap_key(c);
+ do_init_tls_wrap_key(c, &c->options.ce);
/* initialise auth-token crypto support */
if (c->options.auth_token_generate)
@@ -3241,7 +3270,7 @@
* tls-auth/crypt key can be configured per connection block, therefore
* we must reload it as it may have changed
*/
- do_init_tls_wrap_key(c);
+ do_init_tls_wrap_key(c, &c->options.ce);
}
}
@@ -3420,25 +3449,9 @@
to.ekm_size = 0;
}
- /* TLS handshake authentication (--tls-auth) */
- if (options->ce.tls_auth_file)
- {
- to.tls_wrap.mode = TLS_WRAP_AUTH;
- }
-
- /* TLS handshake encryption (--tls-crypt) */
- if (options->ce.tls_crypt_file || (options->ce.tls_crypt_v2_file &&
options->tls_client))
- {
- to.tls_wrap.mode = TLS_WRAP_CRYPT;
- }
-
- if (to.tls_wrap.mode == TLS_WRAP_AUTH || to.tls_wrap.mode ==
TLS_WRAP_CRYPT)
- {
- to.tls_wrap.opt.key_ctx_bi = c->c1.ks.tls_wrap_key;
- to.tls_wrap.opt.pid_persist = &c->c1.pid_persist;
- to.tls_wrap.opt.flags |= CO_PACKET_ID_LONG_FORM;
- to.tls_wrap.original_wrap_keydata = c->c1.ks.original_wrap_keydata;
- }
+ /* Control-channel wrapping (--tls-auth / --tls-crypt) */
+ init_tls_wrap_ctx(&to.tls_wrap, &c->options.ce, options->tls_client,
&c->c1.ks,
+ &c->c1.pid_persist);
if (options->ce.tls_crypt_v2_file)
{
diff --git a/src/openvpn/init.h b/src/openvpn/init.h
index 9d5050d..5e7a03c 100644
--- a/src/openvpn/init.h
+++ b/src/openvpn/init.h
@@ -73,6 +73,39 @@
void do_test_crypto(struct context *o);
+/**
+ * @brief Load the tls-auth/tls-crypt(-v2) key material into @p c->c1.ks.
+ *
+ * Reads the key from the file configured on connection entry @p ce
(--tls-auth,
+ * --tls-crypt or --tls-crypt-v2); a no-op when none of them is set. May be
+ * called more than once (the key can be configured per connection block, so it
+ * is reloaded for each connection).
+ *
+ * @param c The context whose c1.ks key schedule is populated.
+ * @param ce The connection entry whose tls-wrap key file is loaded.
+ */
+void do_init_tls_wrap_key(struct context *c, const struct connection_entry
*ce);
+
+/**
+ * @brief Configure a control-channel wrapping context from a connection entry
+ * and previously loaded tls-wrap key material.
+ *
+ * Sets @p tls_wrap to TLS_WRAP_AUTH (--tls-auth) or TLS_WRAP_CRYPT
+ * (--tls-crypt / client --tls-crypt-v2) and installs the key context, or
+ * leaves it in TLS_WRAP_NONE when neither is configured. The key material must
+ * already have been loaded with do_init_tls_wrap_key(). tls-crypt-v2 specifics
+ * (the wrapped client key and the server key) are left to the caller.
+ *
+ * @param tls_wrap The wrapping context to configure.
+ * @param ce The connection entry selecting the wrapping mode.
+ * @param tls_client Whether this is a TLS client (selects tls-crypt-v2 mode).
+ * @param ks Key schedule holding the loaded tls-wrap key material.
+ * @param pid_persist Packet-id persistence object to attach to the context.
+ */
+void init_tls_wrap_ctx(struct tls_wrap_ctx *tls_wrap, const struct
connection_entry *ce,
+ bool tls_client, const struct key_schedule *ks,
+ struct packet_id_persist *pid_persist);
+
void context_gc_free(struct context *c);
bool do_up(struct context *c, bool pulled_options, uint64_t
option_types_found);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1749?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I7d8546da9ef06c2226ea77e461f9550d24894c61
Gerrit-Change-Number: 1749
Gerrit-PatchSet: 1
Gerrit-Owner: stipa <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel