Change options->data_channel_use_ekm to flags

Instead maintaining two different representation of the data channel
options in struct options and struct tls_options, use the same
flags variable that tls_options uses.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210408140229.31824-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22084.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 4a769fecd6265b8d82f751cb481356c2c8b30987..f45f6b0e84e99f4e969aa84ba5facfbe4abcb324 100644 (file)
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1783,7 +1783,10 @@ multi_client_set_protocol_options(struct context *c)
     }
 
 #ifdef HAVE_EXPORT_KEYING_MATERIAL
-    o->data_channel_use_ekm = (proto & IV_PROTO_TLS_KEY_EXPORT);
+    if (proto & IV_PROTO_TLS_KEY_EXPORT)
+    {
+        o->data_channel_crypto_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
+    }
 #endif
 
     /* Select cipher if client supports Negotiable Crypto Parameters */

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 2a5b1393ed097162864bc3c3c90d5183b8cf08dc..70fed9a54305331350d85376cedc9d72579483a4 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3671,7 +3671,7 @@ pre_connect_restore(struct options *o, struct gc_arena *gc)
 
     o->push_continuation = 0;
     o->push_option_types_found = 0;
-    o->data_channel_use_ekm = false;
+    o->data_channel_crypto_flags = 0;
 }
 
 /**
@@ -7977,7 +7977,7 @@ add_option(struct options *options,
 #ifdef HAVE_EXPORT_KEYING_MATERIAL
         if (streq(p[1], "tls-ekm"))
         {
-            options->data_channel_use_ekm = true;
+            options->data_channel_crypto_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
         }
         else
 #endif

diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index c55384c7b1d6658f8e3c2e80da90d99384efd876..41e84f7e156a7a8365871740be2215b470846964 100644 (file)
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -657,8 +657,8 @@ struct options
      * to the routing tables that would move packets into the tunnel. */
     bool allow_recursive_routing;
 
-    /* Use RFC5705 key export to generate data channel keys */
-    bool data_channel_use_ekm;
+    /* data channel crypto flags set by push/pull. Reuses the CO_* crypto_flags */
+    unsigned int data_channel_crypto_flags;
 };
 
 #define streq(x, y) (!strcmp((x), (y)))

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 15a9141eec090e69af3eaed88ea00dc874487316..2e92d8ee2b2eee5638b5927503ed023f0579d5a9 100644 (file)
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -595,7 +595,7 @@ prepare_push_reply(struct context *c, struct gc_arena *gc,
     {
         push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername);
     }
-    if (o->data_channel_use_ekm)
+    if (o->data_channel_crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
     {
         push_option_fmt(gc, push_list, M_USAGE, "key-derivation tls-ekm");
     }

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 39c6cdc1851d318991a26e3ce99c0becb9d4b310..d4debfa739041feebcbdc993755a672153aee1f3 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1885,10 +1885,8 @@ tls_session_update_crypto_params(struct tls_session *session,
         return false;
     }
 
-    if (options->data_channel_use_ekm)
-    {
-        session->opt->crypto_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
-    }
+    /* Import crypto settings that might be set by pull/push */
+    session->opt->crypto_flags |= options->data_channel_crypto_flags;
 
     if (strcmp(options->ciphername, session->opt->config_ciphername))
     {