From 8ba3987f4ca01d2590181fb33c161a0cc04b9d54 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sat, 19 Jan 2019 20:09:50 +0100 Subject: [PATCH] occtl: print the TLS session information, even if no DTLS channel This ensures that the main process receives the TLS channel information early and does not depend on DTLS channel establishment. Furthermore, we refactor to make setup_dtls_psk_keys() fail early when no TLS channel is available. Signed-off-by: Nikos Mavrogiannopoulos --- NEWS | 2 ++ src/worker-vpn.c | 15 ++++++++------- tests/cipher-common.sh | 15 +++++++++++---- 3 files changed, 21 insertions(+), 11 deletions(-) diff --git a/NEWS b/NEWS index 14e7ff7d..10b6691b 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,7 @@ * Version 0.12.3 (unreleased) - Prevented crash when no DTLS ciphersuite is negotiated +- occtl: print the TLS session information, even if the DTLS channel + is not established. * Version 0.12.2 (released 2019-01-10) diff --git a/src/worker-vpn.c b/src/worker-vpn.c index 2988d2ea..1acecb17 100644 --- a/src/worker-vpn.c +++ b/src/worker-vpn.c @@ -226,18 +226,18 @@ static int setup_dtls_psk_keys(gnutls_session_t session, struct worker_st *ws) gnutls_psk_set_server_credentials_function(WSCREDS(ws)->pskcred, get_psk_key); - if (ws->session && WSCONFIG(ws)->match_dtls_and_tls) { + if (!ws->session) { + oclog(ws, LOG_ERR, "cannot setup PSK keys without an encrypted CSTP channel"); + return -1; + } + + if (WSCONFIG(ws)->match_dtls_and_tls) { cipher = gnutls_cipher_get(ws->session); mac = gnutls_mac_get(ws->session); snprintf(prio_string, sizeof(prio_string), "%s:"VERS_STRING":-CIPHER-ALL:-MAC-ALL:-KX-ALL:+PSK:+VERS-DTLS-ALL:+%s:+%s", WSCONFIG(ws)->priorities, gnutls_mac_get_name(mac), gnutls_cipher_get_name(cipher)); } else { - if (WSCONFIG(ws)->match_dtls_and_tls) { - oclog(ws, LOG_ERR, "cannot determine ciphersuite from CSTP channel (unset match-tls-dtls-ciphers)"); - return -1; - } - /* if we haven't an associated session, enable all ciphers we would have enabled * otherwise for TLS. */ snprintf(prio_string, sizeof(prio_string), "%s:"VERS_STRING":-KX-ALL:+PSK:+VERS-DTLS-ALL", @@ -801,6 +801,8 @@ void vpn_server(struct worker_st *ws) oclog(ws, LOG_DEBUG, "Accepted unix connection"); } + ws->session = session; + session_info_send(ws); memset(&settings, 0, sizeof(settings)); @@ -823,7 +825,6 @@ void vpn_server(struct worker_st *ws) oclog(ws, LOG_DEBUG, "proxy-hdr: peer is %s\n", ws->remote_ip_str); } - ws->session = session; ws->parser = &parser; restart: diff --git a/tests/cipher-common.sh b/tests/cipher-common.sh index ce663684..26ea715c 100755 --- a/tests/cipher-common.sh +++ b/tests/cipher-common.sh @@ -137,7 +137,7 @@ if test $? != 0;then exit 1 fi -grep "Username: ${USERNAME}" ${OUTFILE} +grep "Username: ${USERNAME}" ${OUTFILE} >/dev/null if test $? != 0;then ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} echo "occtl show user didn't find connected user!" @@ -145,14 +145,14 @@ if test $? != 0;then fi if test -z "${GNUTLS_NAME}";then - grep "DTLS cipher:" ${OUTFILE} + grep "DTLS cipher:" ${OUTFILE} >/dev/null if test $? = 0;then ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} echo "occtl show user did show a cipher!" exit 1 fi else - grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE} + grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE} >/dev/null if test $? != 0;then ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} echo "occtl show user didn't show cipher!" @@ -160,7 +160,14 @@ else fi fi -grep ${CLI_ADDRESS} ${OUTFILE} +grep -E '[[:space:]]+TLS ciphersuite:' ${OUTFILE} >/dev/null +if test $? != 0;then + ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} + echo "occtl show user did not show a TLS cipher!" + exit 1 +fi + +grep ${CLI_ADDRESS} ${OUTFILE} >/dev/null if test $? != 0;then ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} echo "occtl show user didn't find client address!"