mirror of
https://github.com/OpenVPN/openvpn.git
synced 2026-06-04 14:18:05 -04:00
Simplify key material exporter backend API
Just pass pointer and length, instead of a gc and return (possibly) allocated memory. Saves us some gc instantiations and memcpy()s. Exact same functionality, 19 lines less code. (Didn't want to delay the TLS EKM reviews for this, so submitted as a patch afterwards.) Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20201009144755.39719-1-steffan@karger.me> URL: https://www.mail-archive.com/search?l=mid&q=20201009144755.39719-1-steffan@karger.me Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Steffan Karger
Gert Doering
parent
6dc09d0d45
commit
f0734e4995
4 changed files with 22 additions and 41 deletions
|
|
@ -1786,23 +1786,14 @@ init_key_contexts(struct key_ctx_bi *key,
|
|||
static bool
|
||||
generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
|
||||
{
|
||||
struct gc_arena gc = gc_new();
|
||||
unsigned char *key2data;
|
||||
|
||||
key2data = key_state_export_keying_material(session,
|
||||
EXPORT_KEY_DATA_LABEL,
|
||||
strlen(EXPORT_KEY_DATA_LABEL),
|
||||
sizeof(key2->keys),
|
||||
&gc);
|
||||
if (!key2data)
|
||||
if (!key_state_export_keying_material(session, EXPORT_KEY_DATA_LABEL,
|
||||
strlen(EXPORT_KEY_DATA_LABEL),
|
||||
key2->keys, sizeof(key2->keys)))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
memcpy(key2->keys, key2data, sizeof(key2->keys));
|
||||
secure_memzero(key2data, sizeof(key2->keys));
|
||||
key2->n = 2;
|
||||
|
||||
gc_free(&gc);
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
@ -2499,12 +2490,11 @@ export_user_keying_material(struct key_state_ssl *ssl,
|
|||
unsigned int size = session->opt->ekm_size;
|
||||
struct gc_arena gc = gc_new();
|
||||
|
||||
unsigned char *ekm;
|
||||
if ((ekm = key_state_export_keying_material(session,
|
||||
session->opt->ekm_label,
|
||||
session->opt->ekm_label_size,
|
||||
session->opt->ekm_size,
|
||||
&gc)))
|
||||
unsigned char *ekm = gc_malloc(session->opt->ekm_size, true, &gc);
|
||||
if (key_state_export_keying_material(session,
|
||||
session->opt->ekm_label,
|
||||
session->opt->ekm_label_size,
|
||||
ekm, session->opt->ekm_size))
|
||||
{
|
||||
unsigned int len = (size * 2) + 2;
|
||||
|
||||
|
|
|
|||
|
|
@ -398,18 +398,14 @@ void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx,
|
|||
* @param session The session associated with the given key_state
|
||||
* @param label The label to use when exporting the key
|
||||
* @param label_size The size of the label to use when exporting the key
|
||||
* @param ekm_size THe size of the exported/returned key material
|
||||
* @param gc gc_arena that might be used to allocate the string
|
||||
* returned
|
||||
* @returns The exported key material, the caller may zero the
|
||||
* string but should not free it
|
||||
* @param ekm Buffer to return the exported key material in
|
||||
* @param ekm_size The size of ekm, in bytes
|
||||
* @returns true if exporting succeeded, false otherwise
|
||||
*/
|
||||
|
||||
unsigned char*
|
||||
bool
|
||||
key_state_export_keying_material(struct tls_session *session,
|
||||
const char* label, size_t label_size,
|
||||
size_t ekm_size,
|
||||
struct gc_arena *gc) __attribute__((nonnull));
|
||||
void *ekm, size_t ekm_size);
|
||||
|
||||
/**************************************************************************/
|
||||
/** @addtogroup control_tls
|
||||
|
|
|
|||
|
|
@ -219,11 +219,10 @@ mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms,
|
|||
return true;
|
||||
}
|
||||
|
||||
unsigned char *
|
||||
bool
|
||||
key_state_export_keying_material(struct tls_session *session,
|
||||
const char* label, size_t label_size,
|
||||
size_t ekm_size,
|
||||
struct gc_arena *gc)
|
||||
void *ekm, size_t ekm_size)
|
||||
{
|
||||
ASSERT(strlen(label) == label_size);
|
||||
|
||||
|
|
@ -233,10 +232,9 @@ key_state_export_keying_material(struct tls_session *session,
|
|||
* there is no PRF, in both cases we cannot generate key material */
|
||||
if (cache->tls_prf_type == MBEDTLS_SSL_TLS_PRF_NONE)
|
||||
{
|
||||
return NULL;
|
||||
return false;
|
||||
}
|
||||
|
||||
unsigned char *ekm = (unsigned char *) gc_malloc(ekm_size, true, gc);
|
||||
int ret = mbedtls_ssl_tls_prf(cache->tls_prf_type, cache->master_secret,
|
||||
sizeof(cache->master_secret),
|
||||
label, cache->client_server_random,
|
||||
|
|
@ -245,12 +243,12 @@ key_state_export_keying_material(struct tls_session *session,
|
|||
|
||||
if (mbed_ok(ret))
|
||||
{
|
||||
return ekm;
|
||||
return true;
|
||||
}
|
||||
else
|
||||
{
|
||||
secure_memzero(ekm, session->opt->ekm_size);
|
||||
return NULL;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
#else
|
||||
|
|
|
|||
|
|
@ -158,26 +158,23 @@ tls_ctx_initialised(struct tls_root_ctx *ctx)
|
|||
return NULL != ctx->ctx;
|
||||
}
|
||||
|
||||
unsigned char*
|
||||
bool
|
||||
key_state_export_keying_material(struct tls_session *session,
|
||||
const char* label, size_t label_size,
|
||||
size_t ekm_size,
|
||||
struct gc_arena *gc)
|
||||
void *ekm, size_t ekm_size)
|
||||
|
||||
{
|
||||
unsigned char *ekm = (unsigned char *) gc_malloc(ekm_size, true, gc);
|
||||
|
||||
SSL* ssl = session->key[KS_PRIMARY].ks_ssl.ssl;
|
||||
|
||||
if (SSL_export_keying_material(ssl, ekm, ekm_size, label,
|
||||
label_size, NULL, 0, 0) == 1)
|
||||
{
|
||||
return ekm;
|
||||
return true;
|
||||
}
|
||||
else
|
||||
{
|
||||
secure_memzero(ekm, ekm_size);
|
||||
return NULL;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue