From patchwork Thu Jul 9 00:16:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1216 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id yPkQHp/uBl8pBwAAIUCqbw for ; Thu, 09 Jul 2020 06:17:03 -0400 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id cBXzHZ/uBl+BOwAAalYnBA ; Thu, 09 Jul 2020 06:17:03 -0400 Received: from smtp39.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTP id kPjvHZ/uBl9gWwAAtEH5vw ; Thu, 09 Jul 2020 06:17:03 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp39.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 54abb218-c1cd-11ea-b51a-5452006c005a-1-1 Received: from [216.105.38.7] ([216.105.38.7:46926] helo=lists.sourceforge.net) by smtp39.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 99/55-10705-E9EE60F5; Thu, 09 Jul 2020 06:17:02 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jtTbE-0002CP-1V; Thu, 09 Jul 2020 10:16:16 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtTbA-0002Bs-Ol for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AULOSMRSyForO4l/c9aKxzHat/HlCKsrDvsTu4U7X3Y=; b=QefQE+qLU46U8IefdXvBfWtnui EWsJu6fJ2FwsZH3AJhfbSz8wBUlKjoxt+FRtTeDfoo4jy0/qhJ66zBdvmutHoOaJCSc37fEejlD5J 9JgU7ZVJb43lM0n1XqbhwRew8zX8ojywzcaBd4MEdDtaqcG8UkhCQXP69kkeCFHHYx7o=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AULOSMRSyForO4l/c9aKxzHat/HlCKsrDvsTu4U7X3Y=; b=IEoDN+fllnaYx5sg5L67TT4trl iTLXs3rFjmFEfgz6ItAmnng+Cn9sxF50ErfAj55sYLOad3awEdSKUlglmZNXgvg7DMLEHg0hdyGU2 76Zk6spmFuHJdNHYf4edZmuWbbNaIzNnA/AhFXIZpIpTfvQhgI8fd1O6pdWVLRHWp3VE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jtTb9-00C1Nv-5S for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:12 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jtTb1-000HXw-Rr for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 12:16:03 +0200 Received: (nullmailer pid 12001 invoked by uid 10006); Thu, 09 Jul 2020 10:16:03 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Jul 2020 12:16:00 +0200 Message-Id: <20200709101603.11941-5-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200709101603.11941-1-arne@rfc2549.org> References: <20200709101603.11941-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jtTb9-00C1Nv-5S Subject: [Openvpn-devel] [PATCH 5/8] Generate data channel keys after connect options have been parsed X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The simplify the control flow, it makes more sense to generate the data keys when all the prerequisites for generating the data channel keys (ncp cipher selection etc) are met instead of delaying it to the next incoming PUSH_REQUEST message. This also eliminates the need for the hack introduced by commit 3b06b57d9 to generate the data channel keys on the async file close event. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/multi.c | 54 ++++++++++++++++++++++++++------------------- src/openvpn/push.c | 27 ++++------------------- 2 files changed, 35 insertions(+), 46 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index f04c4c90..810e489a 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1843,6 +1843,30 @@ multi_client_set_protocol_options(struct context *c) } } +/** + * Generates the data channel keys + */ +static bool +multi_client_generate_tls_keys(struct context *c) +{ + struct frame *frame_fragment = NULL; +#ifdef ENABLE_FRAGMENT + if (c->options.ce.fragment) + { + frame_fragment = &c->c2.frame_fragment; + } +#endif + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + if (!tls_session_update_crypto_params(session, &c->options, + &c->c2.frame, frame_fragment)) + { + msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); + register_signal(c, SIGUSR1, "process-push-msg-failed"); + return false; + } + + return true; +} /* * Called as soon as the SSL/TLS connection authenticates. @@ -2149,7 +2173,13 @@ script_failed: /* authentication complete, calculate dynamic client specific options */ multi_client_set_protocol_options(&mi->context); - /* send push reply if ready*/ + /* Generate data channel keys */ + if (!multi_client_generate_tls_keys(&mi->context)) + { + mi->context.c2.context_auth = CAS_FAILED; + } + + /* send push reply if ready */ if (mi->context.c2.push_request_received) { process_incoming_push_request(&mi->context); @@ -2205,28 +2235,6 @@ multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags) { /* continue authentication, perform NCP negotiation and send push_reply */ multi_process_post(m, mi, mpp_flags); - - /* With NCP and deferred authentication, we perform cipher negotiation and - * data channel keys generation on incoming push request, assuming that auth - * succeeded. When auth succeeds in between push requests and async push is used, - * we send push reply immediately. Above multi_process_post() call performs - * NCP negotiation and here we do keys generation. */ - - struct context *c = &mi->context; - struct frame *frame_fragment = NULL; -#ifdef ENABLE_FRAGMENT - if (c->options.ce.fragment) - { - frame_fragment = &c->c2.frame_fragment; - } -#endif - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - if (!tls_session_update_crypto_params(session, &c->options, - &c->c2.frame, frame_fragment)) - { - msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); - register_signal(c, SIGUSR1, "init-data-channel-failed"); - } } else { diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 92a28a14..5bc4328c 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -359,30 +359,11 @@ incoming_push_message(struct context *c, const struct buffer *buffer) } event_timeout_clear(&c->c2.push_request_interval); } - else if (status == PUSH_MSG_REQUEST) - { - if (c->options.mode == MODE_SERVER) - { - struct frame *frame_fragment = NULL; -#ifdef ENABLE_FRAGMENT - if (c->options.ce.fragment) - { - frame_fragment = &c->c2.frame_fragment; - } -#endif - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - if (!tls_session_update_crypto_params(session, &c->options, - &c->c2.frame, frame_fragment)) - { - msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); - goto error; - } - } - } goto cleanup; + error: - register_signal(c, SIGUSR1, "process-push-msg-failed"); + register_signal(c, SIGUSR1, "process-push-msg-failed"); cleanup: gc_free(&gc); } @@ -748,7 +729,6 @@ process_incoming_push_request(struct context *c) { int ret = PUSH_MSG_ERROR; - c->c2.push_request_received = true; if (tls_authentication_status(c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED || c->c2.context_auth == CAS_FAILED) { const char *client_reason = tls_client_reason(c->c2.tls_multi); @@ -810,7 +790,7 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) static int process_incoming_push_reply(struct context *c, unsigned int permission_mask, - const unsigned int *option_types_found, + unsigned int *option_types_found, struct buffer *buf) { int ret = PUSH_MSG_ERROR; @@ -875,6 +855,7 @@ process_incoming_push_msg(struct context *c, if (buf_string_compare_advance(&buf, "PUSH_REQUEST")) { + c->c2.push_request_received = true; return process_incoming_push_request(c); } else if (honor_received_options