mirror/openvpn3
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn3.git synced 2024-09-19 19:52:15 +02:00
Code

Remove UDP/TCP mode from PacketIDReceiveType

Browse Source 
This mode is only relevant for old OpenVPN 2.3.x clients in CBC mode
ciphers when using kovpn. Remove the mode from PID control and move
logic to kovpn key logic.

Signed-off-by: Arne Schwabe <arne@openvpn.net>
This commit is contained in:
Arne Schwabe 2024-08-15 16:37:18 +02:00 committed by Jenkins-dev
parent 3d3e333c0e
commit 16b2c4afe0
10 changed files with 24 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
openvpn/crypto/crypto_aead.hpp
View File

@ -333,8 +333,7 @@ class Crypto : public CryptoDCInstance
d.nonce.set_tail(decrypt_key, dc_settings.use64bitPktCounter());
}
void init_pid(const int recv_mode,
const char *recv_name,
void init_pid(const char *recv_name,
const int recv_unit,
const SessionStats::Ptr &recv_stats_arg) override
{

5
openvpn/crypto/crypto_chm.hpp
View File

@ -85,8 +85,7 @@ class CryptoCHM : public CryptoDCInstance
decrypt_.hmac.init(dc_settings.digest(), decrypt_key);
}
void init_pid(const int recv_mode,
const char *recv_name,
void init_pid(const char *recv_name,
const int recv_unit,
const SessionStats::Ptr &recv_stats_arg) override
{
@ -94,7 +93,7 @@ class CryptoCHM : public CryptoDCInstance
auto pid_form = PacketID::SHORT_FORM;
encrypt_.pid_send.init(pid_form);
decrypt_.pid_recv.init(recv_mode, pid_form, recv_name, recv_unit, recv_stats_arg);
decrypt_.pid_recv.init(pid_form, recv_name, recv_unit, recv_stats_arg);
}
bool consider_compression(const CompressContext &comp_ctx) override

3
openvpn/crypto/cryptodc.hpp
View File

@ -73,8 +73,7 @@ class CryptoDCInstance : public RC<thread_unsafe_refcount>
StaticKey &&decrypt_key)
= 0;
virtual void init_pid(const int recv_mode,
const char *recv_name,
virtual void init_pid(const char *recv_name,
const int recv_unit,
const SessionStats::Ptr &recv_stats_arg)
= 0;

12
openvpn/crypto/packet_id.hpp
View File

@ -249,13 +249,6 @@ class PacketIDReceiveType
static constexpr unsigned int REPLAY_WINDOW_BYTES = 1 << REPLAY_WINDOW_ORDER;
static constexpr unsigned int REPLAY_WINDOW_SIZE = REPLAY_WINDOW_BYTES * 8;
// mode
enum
{
UDP_MODE = 0,
TCP_MODE = 1
};
OPENVPN_SIMPLE_EXCEPTION(packet_id_not_initialized);
// TODO: [OVPN3-933] Consider RAII'ifying this code
@ -264,8 +257,7 @@ class PacketIDReceiveType
{
}
void init(const int mode_arg,
const int form_arg,
void init(const int form_arg,
const char *name_arg,
const int unit_arg,
const SessionStats::Ptr &stats_arg)
@ -278,7 +270,6 @@ class PacketIDReceiveType
time_high = 0;
id_floor = 0;
max_backtrack = 0;
mode = mode_arg;
form = form_arg;
unit = unit_arg;
name = name_arg;
@ -443,7 +434,6 @@ class PacketIDReceiveType
PacketID::id_t id_floor; // we will only accept backtrack IDs > id_floor
unsigned int max_backtrack;
int mode; // UDP_MODE or TCP_MODE
int form; // PacketID::LONG_FORM or PacketID::SHORT_FORM
int unit; // unit number of this object (for debugging)
std::string name; // name of this object (for debugging)

1
openvpn/dco/kocrypto.hpp
View File

@ -56,7 +56,6 @@ struct Info
CompressContext comp_ctx;
unsigned int key_id = 0;
int remote_peer_id = -1;
bool tcp_linear = false;
StaticKey encrypt_cipher;
StaticKey encrypt_hmac;
StaticKey decrypt_cipher;

4
openvpn/dco/korekey.hpp
View File

@ -75,12 +75,10 @@ class Instance : public CryptoDCInstance
info.decrypt_hmac = std::move(decrypt_key);
}
void init_pid(const int recv_mode,
const char *recv_name,
void init_pid(const char *recv_name,
const int recv_unit,
const SessionStats::Ptr &recv_stats_arg) override
{
info.tcp_linear = (recv_mode == PacketIDReceive::TCP_MODE);
}
void init_remote_peer_id(const int remote_peer_id) override

26
openvpn/ssl/proto.hpp
View File

@ -408,9 +408,6 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO,
TLSCryptMetadataFactory::Ptr tls_crypt_metadata_factory;
// packet_id parms for both data and control channels
int pid_mode = 0; // PacketIDReceive::UDP_MODE or PacketIDReceive::TCP_MODE
// timeout parameters, relative to construction of KeyContext object
Time::Duration handshake_window; // SSL/TLS negotiation must complete by this time
Time::Duration become_primary; // KeyContext (that is ACTIVE) becomes primary at this time
@ -468,7 +465,6 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO,
keepalive_timeout_early = keepalive_timeout;
comp_ctx = CompressContext(CompressContext::NONE, false);
protocol = Protocol();
pid_mode = PacketIDReceive::UDP_MODE;
key_direction = default_key_direction;
// layer
@ -967,21 +963,10 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO,
return os.str();
}
void set_pid_mode(const bool tcp_linear)
{
if (protocol.is_udp() || !tcp_linear)
pid_mode = PacketIDReceive::UDP_MODE;
else if (protocol.is_tcp())
pid_mode = PacketIDReceive::TCP_MODE;
else
throw proto_option_error(ERR_INVALID_OPTION_VAL, "transport protocol undefined");
}
void set_protocol(const Protocol &p)
{
// adjust options for new transport protocol
protocol = p;
set_pid_mode(false);
}
void set_tls_auth_digest(const CryptoAlgs::Type digest)
@ -2321,8 +2306,7 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO,
crypto->init_hmac(key.slice(OpenVPNStaticKey::HMAC | OpenVPNStaticKey::ENCRYPT | key_dir),
key.slice(OpenVPNStaticKey::HMAC | OpenVPNStaticKey::DECRYPT | key_dir));
crypto->init_pid(c.pid_mode,
"DATA",
crypto->init_pid("DATA",
int(key_id_),
proto.stats);
@ -3842,7 +3826,7 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO,
hmac_size = c.tls_crypt_context->digest_size();
ta_pid_send.init(PacketID::LONG_FORM);
ta_pid_recv.init(c.pid_mode, PacketID::LONG_FORM, "SSL-CC", 0, stats);
ta_pid_recv.init(PacketID::LONG_FORM, "SSL-CC", 0, stats);
reset_tls_crypt(c, dyn_key);
}
@ -3900,7 +3884,7 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO,
reset_tls_crypt(c, c.tls_key);
// init tls_crypt packet ID
ta_pid_send.init(PacketID::LONG_FORM);
ta_pid_recv.init(c.pid_mode, PacketID::LONG_FORM, "SSL-CC", 0, stats);
ta_pid_recv.init(PacketID::LONG_FORM, "SSL-CC", 0, stats);
break;
case TLS_CRYPT_V2:
if (is_server())
@ -3914,7 +3898,7 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO,
* to indicate EARLY_NEG_START/CONTROL_WKC_V1 support */
// init tls_crypt packet ID
ta_pid_send.init(PacketID::LONG_FORM, EARLY_NEG_START);
ta_pid_recv.init(c.pid_mode, PacketID::LONG_FORM, "SSL-CC", 0, stats);
ta_pid_recv.init(PacketID::LONG_FORM, "SSL-CC", 0, stats);
break;
case TLS_AUTH:
// init OvpnHMACInstance
@ -3946,7 +3930,7 @@ class ProtoContext : public logging::LoggingMixin<OPENVPN_DEBUG_PROTO,
*
*/
ta_pid_send.init(PacketID::LONG_FORM, cookie_psid.defined() ? 1 : 0);
ta_pid_recv.init(c.pid_mode, PacketID::LONG_FORM, "SSL-CC", 0, stats);
ta_pid_recv.init(PacketID::LONG_FORM, "SSL-CC", 0, stats);
break;
case TLS_PLAIN:
break;

3
test/unittests/test_crypto.cpp
View File

@ -136,8 +136,7 @@ void test_datachannel_crypto(bool tag_at_the_end, bool longpktcounter = false)
cryptodc.init_cipher(static_key.slice(openvpn::OpenVPNStaticKey::CIPHER | openvpn::OpenVPNStaticKey::ENCRYPT | key_dir),
static_key.slice(openvpn::OpenVPNStaticKey::CIPHER | openvpn::OpenVPNStaticKey::ENCRYPT | key_dir));
cryptodc.init_pid(0,
"DATA",
cryptodc.init_pid("DATA",
0,
statsptr);

18
test/unittests/test_pktid.cpp
View File

@ -1,6 +1,7 @@
#include "test_common.h"
#include <openvpn/crypto/packet_id.hpp>
#include <openvpn/crypto/packet_id_aead.hpp>
using namespace openvpn;
@ -17,12 +18,12 @@ void testcase(PIDRecv &pr,
ASSERT_EQ(status, expected_status);
}
void test()
template <typename PIDRecv>
void do_packet_id_recv_test()
{
typedef PacketIDReceiveType<3, 5> PIDRecv;
SessionStats::Ptr stats(new SessionStats());
PIDRecv pr;
pr.init(PIDRecv::UDP_MODE, PacketID::SHORT_FORM, "test", 0, stats);
pr.init(PacketID::SHORT_FORM, "test", 0, stats);
testcase(pr, 0, 0, 0, Error::PKTID_INVALID);
testcase(pr, 1, 0, 1, Error::SUCCESS);
@ -77,6 +78,12 @@ void test()
testcase(pr, 85, 15, 66, Error::SUCCESS);
}
TEST(misc, pktid_test_normal)
{
do_packet_id_recv_test<PacketIDReceiveType<3, 5>>();
}
template <unsigned int ORDER, unsigned int EXPIRE>
void perfiter(const long n,
const long range,
@ -97,7 +104,7 @@ void perfiter(const long n,
long high = 0;
SessionStats::Ptr stats(new SessionStats());
PIDRecv pr;
pr.init(PIDRecv::UDP_MODE, PacketID::SHORT_FORM, "test", 0, stats);
pr.init(PacketID::SHORT_FORM, "test", 0, stats);
for (long i = 1; i < n; i += step)
{
@ -144,7 +151,7 @@ void perf(long &count)
perfiter<ORDER, EXPIRE>(20000, 4, PIDRecv::REPLAY_WINDOW_SIZE / 2, 10, count);
}
TEST(misc, pktid)
TEST(misc, pktid_perf)
{
{
long count = 0;
@ -153,5 +160,4 @@ TEST(misc, pktid)
perf<8, 5>(count);
// ASSERT_EQ(4746439, count);
}
test();
}

2
test/unittests/test_proto.cpp
View File

@ -958,7 +958,6 @@ int test(const int thread_num, bool use_tls_ekm)
}
cp->tls_crypt_ = ClientProtoContext::ProtoConfig::TLSCrypt::V2;
#endif
cp->pid_mode = PacketIDReceive::UDP_MODE;
#if defined(HANDSHAKE_WINDOW)
cp->handshake_window = Time::Duration::seconds(HANDSHAKE_WINDOW);
#elif SITER > 1
@ -1046,7 +1045,6 @@ int test(const int thread_num, bool use_tls_ekm)
sp->tls_crypt_metadata_factory.reset(new CryptoTLSCryptMetadataFactory());
sp->tls_crypt_ = ClientProtoContext::ProtoConfig::TLSCrypt::V2;
#endif
sp->pid_mode = PacketIDReceive::UDP_MODE;
#if defined(HANDSHAKE_WINDOW)
sp->handshake_window = Time::Duration::seconds(HANDSHAKE_WINDOW);
#elif SITER > 1