From patchwork Wed Sep 30 03:13:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1493 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id +LHBJb+EdF+VYwAAIUCqbw (envelope-from ) for ; Wed, 30 Sep 2020 09:14:39 -0400 Received: from proxy5.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net with LMTP id 4IefJb+EdF/7eAAAfY0hYg (envelope-from ) for ; Wed, 30 Sep 2020 09:14:39 -0400 Received: from smtp16.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3b.rsapps.net with LMTPS id yKNOHb+EdF8sLAAA13hMnw (envelope-from ) for ; Wed, 30 Sep 2020 09:14:39 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp16.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e4894728-031e-11eb-9f4c-5254004ed364-1-1 Received: from [216.105.38.7] ([216.105.38.7:57224] helo=lists.sourceforge.net) by smtp16.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 74/FB-21728-EB4847F5; Wed, 30 Sep 2020 09:14:39 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kNbvV-0005go-If; Wed, 30 Sep 2020 13:13:45 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kNbvR-0005g1-VZ for openvpn-devel@lists.sourceforge.net; Wed, 30 Sep 2020 13:13:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=3J1dOmUJ9Rs2nHs+YGAoF+0EhoDTOBHbji+hd0vCyqw=; b=XHW+K3aSUmdYg2igci8HpKYpx+ 14KpDwLovN6CD0zzmdxtMxhAa9aw94G07StWIBkVPSiDUoqWCHuqUB9vebO3s6P3huPUK1dRPc/bn dLL+TdQI4zdlS2J1ZFmQFzCW/WzVwoMXpgC+CAAnZ14WtgYpTcW1jtlot7wfZ1TEzuXg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3J1dOmUJ9Rs2nHs+YGAoF+0EhoDTOBHbji+hd0vCyqw=; b=AnJD/ogJUocitC2odg85OfpxhR 4zLH+LezfUEANj2ftLPE0TM4a3GhiEbiH9WvAlHCyoCVoZAh4JP6MNAFku8OgmX5Fgp0ezOVIVcb/ kg/TUL7dwTM0fk5U3PD3TGA9xqW7oyTrcRHGtI6pE9gE2XnrypzyuMHYbsINoFmWB4qA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1kNbvL-00EOO5-GS for openvpn-devel@lists.sourceforge.net; Wed, 30 Sep 2020 13:13:41 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kNbv4-0003nm-6L for openvpn-devel@lists.sourceforge.net; Wed, 30 Sep 2020 15:13:18 +0200 Received: (nullmailer pid 1355 invoked by uid 10006); Wed, 30 Sep 2020 13:13:18 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 30 Sep 2020 15:13:07 +0200 Message-Id: <20200930131317.1299-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200930131317.1299-1-arne@rfc2549.org> References: <20200930131317.1299-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] X-Headers-End: 1kNbvL-00EOO5-GS Subject: [Openvpn-devel] [PATCH 01/11] Change pull request timeout use a timeout rather than a number X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This commit changes the count n_sent_push_requests to time_t based push_request_timeout. This is more in line to our other timeouts which are also time based instead of number retries based. This does not change the behaviour but it prepares allowing to extend the pull request timeout during a pending authentication. As a user visible change we print the the time we waited for a timeout instead Also update the man page to actually document that hand-window controls this timeout. Signed-off-by: Arne Schwabe --- doc/man-sections/tls-options.rst | 4 ++++ src/openvpn/forward.c | 1 + src/openvpn/openvpn.h | 2 +- src/openvpn/push.c | 9 ++++++--- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 8c2db7cd..4d9ee2dc 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -200,6 +200,10 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa will still use our expiring key for up to ``--tran-window`` seconds to maintain continuity of transmission of tunnel data. + The ``--hand-window`` parameter also controls the amount of of time that + the OpenVPN client repeats the pull request until it times out on pull + requests until giving up. + --key file Local peer's private key in .pem format. Use the private key which was generated when you built your peer's certificate (see ``--cert file`` diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 7ed8d0d7..325f1373 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -292,6 +292,7 @@ check_connection_established(struct context *c) } #endif /* fire up push request right away (already 1s delayed) */ + c->c2.push_request_timeout = now + c->options.handshake_window; event_timeout_init(&c->c2.push_request_interval, 0, now); reset_coarse_timers(c); } diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index a7b59774..4630b33e 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -462,7 +462,7 @@ struct context_2 enum client_connect_status context_auth; struct event_timeout push_request_interval; - int n_sent_push_requests; + time_t push_request_timeout; bool did_pre_pull_restore; /* hash of pulled options, so we can compare when options change */ diff --git a/src/openvpn/push.c b/src/openvpn/push.c index e0d2eeaf..5fc3eb18 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -369,14 +369,17 @@ cleanup: bool send_push_request(struct context *c) { - const int max_push_requests = c->options.handshake_window / PUSH_REQUEST_INTERVAL; - if (++c->c2.n_sent_push_requests <= max_push_requests) + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + struct key_state *ks = &session->key[KS_PRIMARY]; + + if (c->c2.push_request_timeout > now) { return send_control_channel_string(c, "PUSH_REQUEST", D_PUSH); } else { - msg(D_STREAM_ERRORS, "No reply from server after sending %d push requests", max_push_requests); + msg(D_STREAM_ERRORS, "No reply from server to push requests in %ds", + (int)(now - ks->established)); c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- server-pushed connection reset */ c->sig->signal_text = "no-push-reply"; return false;