| Message ID | 20221108151407.1132097-1-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id QPeaCo1yamOqPwAAIUCqbw (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Tue, 08 Nov 2022 10:15:25 -0500 Received: from proxy10.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id 6H2ACo1yamOeegAAvGGmqA (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Tue, 08 Nov 2022 10:15:25 -0500 Received: from smtp14.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.iad3b.rsapps.net with LMTPS id aGOkA41yamP1ZwAA/F5p9A (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Tue, 08 Nov 2022 10:15:25 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 2a3990c2-5f78-11ed-8330-52540057873d-1-1 Received: from [216.105.38.7] ([216.105.38.7:34266] helo=lists.sourceforge.net) by smtp14.gate.iad3b.rsapps.net (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A3/6A-05902-B827A636; Tue, 08 Nov 2022 10:15:23 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) id 1osQJ8-0002SR-QA; Tue, 08 Nov 2022 15:14:34 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from <arne@kamera.blinkt.de>) id 1osQIw-0002Ra-UZ for openvpn-devel@lists.sourceforge.net; Tue, 08 Nov 2022 15:14:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=kkpNzBPc5lTHttK62LY3louKtqvUIxcsz+OAjSg0nug=; b=EaiAL5HHkFrOLXnQFmoseWN78z 3zdPvyzVvlhrB8y3Q0EkTE//vHselbHogn0/1DMwMN2zZxcpvsJhLuVQpK94cwkshnXk6i3NKv5kU eQFIgzuOKgFCo5ckL6kIsqj8jkk2EbdsJ0MIpQUK29lCpe7X5opufxeEz+tRjJ/Z9L+c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=kkpNzBPc5lTHttK62LY3louKtqvUIxcsz+OAjSg0nug=; b=b hhzJmrt3poViUKd3n2sV39HDNyuRZFZl/MPWe/4wnaRQxMwRrsMrg0RbPEZMWSPinUdS04eSaTdTm AMK545OGN6P5bfrBSHenVP4vq2mOuyK5BEO6cvH90omjGC2ms9D4SrjMPFxhHtFznnXH2ijszgQR8 ql38tJern6LWxwwk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1osQIs-00Gcms-MO for openvpn-devel@lists.sourceforge.net; Tue, 08 Nov 2022 15:14:19 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from <arne@kamera.blinkt.de>) id 1osQIh-0006tQ-70 for openvpn-devel@lists.sourceforge.net; Tue, 08 Nov 2022 16:14:07 +0100 Received: (nullmailer pid 1132143 invoked by uid 10006); Tue, 08 Nov 2022 15:14:07 -0000 From: Arne Schwabe <arne@rfc2549.org> To: openvpn-devel@lists.sourceforge.net Date: Tue, 8 Nov 2022 16:14:07 +0100 Message-Id: <20221108151407.1132097-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This allows a bit easier debugging when trying to figure what kind of packet triggered a reject/accpet. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/mudp.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1osQIs-00Gcms-MO Subject: [Openvpn-devel] [PATCH] Add packet type in accept/reject messages for HMAC packet X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: <openvpn-devel.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel> List-Post: <mailto:openvpn-devel@lists.sourceforge.net> List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox |
| Series |
[Openvpn-devel] Add packet type in accept/reject messages for HMAC packet
|
|
Commit Message
Arne Schwabe
Nov. 8, 2022, 4:14 a.m. UTC
This allows a bit easier debugging when trying to figure what kind
of packet triggered a reject/accpet.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
src/openvpn/mudp.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
Comments
Acked-by: Gert Doering <gert@greenie.muc.de> This is a useful addition. It works... 2022-11-08 17:39:46 us=399783 Connection Attempt Valid packet (P_CONTROL_V1) with HMAC challenge from peer ([AF_INET6]::ffff:194.97.140.21:61081), accepting new connection. .. and uncovered a new bug... 2022-11-08 17:39:46 us=439044 194.97.140.21:61081 peer info: IV_NCP=2 2022-11-08 17:39:46 us=439083 194.97.140.21:61081 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 .. 2022-11-08 17:39:46 us=448391 cron2-freebsd-tc-amd64/194.97.140.21:61081 Data Channel: using negotiated cipher 'AES-256-GCM' 2022-11-08 17:39:46 us=448421 cron2-freebsd-tc-amd64/194.97.140.21:61081 Data Channel MTU parms [ mss_fix:1379 max_frag:0 tun_mtu:1500 headroom:136 payload:1736 tailroom:557 ET:0 ] 2022-11-08 17:39:46 us=448505 cron2-freebsd-tc-amd64/194.97.140.21:61081 Master Encrypt (cipher): 1fdef04a 9fc2d2e9 d01abb10 5bf10459 19f4ecd8 ec471652 f15dd536 0d7adf87 2022-11-08 17:39:46 us=448544 cron2-freebsd-tc-amd64/194.97.140.21:61081 Message hash algorithm 'none' not found 2022-11-08 17:39:46 us=448590 cron2-freebsd-tc-amd64/194.97.140.21:61081 Exiting due to fatal error .. and then the server exits. With --verb 4 it does not... (but the message in *this* patch needs "verb 7" to see) - this is not caused by the patch here, but sneaked in earlier. GDB says this is the call chain where it happens... #0 md_get (digest=0x5555555e1064 "none") at crypto_mbedtls.c:774 #1 0x0000555555568d39 in md_kt_size (mdname=<optimized out>) at crypto_mbedtls.c:812 #2 0x0000555555564b69 in key2_print (k=k@entry=0x7fffffffbf10, kt=0x555555638798, prefix0=prefix0@entry=0x5555556025ed "Master Encrypt", prefix1=prefix1@entry=0x5555556025de "Master Decrypt") at crypto.c:1013 #3 0x00005555555cb157 in generate_key_expansion (ks=ks@entry=0x555555638d10, session=session@entry=0x555555638b78, multi=<optimized out>) at ssl.c:1645 #4 0x00005555555cc010 in tls_session_generate_data_channel_keys (multi=<optimized out>, session=0x555555638b78) at ssl.c:1705 #5 0x00005555555cc232 in tls_session_update_crypto_params_do_work (multi=<optimized out>, session=<optimized out>, options=options@entry=0x555555637690, frame=frame@entry=0x555555638288, frame_fragment=<optimized out>, lsi=<optimized out>) at ssl.c:1769 #6 0x00005555555cc330 in tls_session_update_crypto_params_do_work (lsi=<optimized out>, frame_fragment=<optimized out>, frame=0x555555638288, options=0x555555637690, session=<optimized out>, multi=<optimized out>) at ssl.c:1789 #7 0x0000555555591bb7 in multi_client_generate_tls_keys (c=0x555555637690) at multi.c:2322 #8 multi_client_connect_late_setup (option_types_found=<optimized out>, mi=0x5555556374d0, m=0x7fffffffc250) at multi.c:2464 #9 multi_connection_established (mi=0x5555556374d0, m=0x7fffffffc250) at multi.c:2735 .. so it should be easy to pinpoint. Not sure what the "right" fix is, though. Not my field. Your patch has been applied to the master branch. commit 4466c5dcb7a77d4a214e60afc6c7b41688d0ec04 Author: Arne Schwabe Date: Tue Nov 8 16:14:07 2022 +0100 Add packet type in accept/reject messages for HMAC packet Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20221108151407.1132097-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25489.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 4ab18b72c..7c6fc816e 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -148,14 +148,18 @@ do_pre_decrypt_check(struct multi_context *m, bool ret = check_session_id_hmac(state, from, hmac, handwindow); const char *peer = print_link_socket_actual(&m->top.c2.from, &gc); + uint8_t pkt_firstbyte = *BPTR( &m->top.c2.buf); + int op = pkt_firstbyte >> P_OPCODE_SHIFT; + if (!ret) { - msg(D_MULTI_MEDIUM, "Packet with invalid or missing SID from %s", peer); + msg(D_MULTI_MEDIUM, "Packet (%s) with invalid or missing SID from %s", + packet_opcode_name(op), peer); } else { - msg(D_MULTI_DEBUG, "Valid packet with HMAC challenge from peer (%s), " - "accepting new connection.", peer); + msg(D_MULTI_DEBUG, "Valid packet (%s) with HMAC challenge from peer (%s), " + "accepting new connection.", packet_opcode_name(op), peer); } gc_free(&gc);