From patchwork Fri Apr 22 04:29:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2388 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 4HEmHi28YmLRQwAAqwncew (envelope-from ) for ; Fri, 22 Apr 2022 10:31:09 -0400 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id EOXMMy28YmKaBAAAeJ7fFg (envelope-from ) for ; Fri, 22 Apr 2022 10:31:09 -0400 Received: from smtp12.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net with LMTPS id iLd9My28YmJ6XQAAetu3IA (envelope-from ) for ; Fri, 22 Apr 2022 10:31:09 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: d9b3a9ca-c248-11ec-9090-52540070b731-1-1 Received: from [216.105.38.7] ([216.105.38.7:54204] helo=lists.sourceforge.net) by smtp12.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 07/6E-28649-D2CB2626; Fri, 22 Apr 2022 10:31:09 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nhuIg-0002dr-QS; Fri, 22 Apr 2022 14:30:22 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nhuIZ-0002cM-7B for openvpn-devel@lists.sourceforge.net; Fri, 22 Apr 2022 14:30:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XbX06CbXLFmDZEnSCjFRqwEX9gNNTQ4vCDFP939+R0I=; b=XvS0vlLOtH/gTi1UVmvKcELcqJ msHXWXWYKT/5cJYRzoa3S7veGJCBkV+KZJQ4d2zgNsXjTKHuqQTlmSq57pbs/0OUzWM7+pV+2mP6W AbLkAd2P5qD5xKCilkdDngIPMrdpy87H/TRgnKxz8arInNkOZcTLeINg7+iOKs9iYiEU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=XbX06CbXLFmDZEnSCjFRqwEX9gNNTQ4vCDFP939+R0I=; b=kSclwMAlgC3G0DzejU2xoXlnG6 Dae0fXUvBTi2LZ2BW2heFbLo4bY4Y2IBHV5brVt3RRRUgvUxnEmv3eD9hZcekGko0HTbPVbfRs+eI P/gPewfZdwMfsMVDcj4uQsqYdwholzY9kIvyVz7CruiDGtTS+rU84hs0+8s1V4/cD7Ho=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nhuIM-0005dg-60 for openvpn-devel@lists.sourceforge.net; Fri, 22 Apr 2022 14:30:02 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1nhuID-00096c-NH for openvpn-devel@lists.sourceforge.net; Fri, 22 Apr 2022 16:29:53 +0200 Received: (nullmailer pid 3805429 invoked by uid 10006); Fri, 22 Apr 2022 14:29:53 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 22 Apr 2022 16:29:41 +0200 Message-Id: <20220422142953.3805364-7-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220422142953.3805364-1-arne@rfc2549.org> References: <20220422134038.3801239-1-arne@rfc2549.org> <20220422142953.3805364-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The current place that we reload is a bit more efficient since it only triggers reload after a completed 3way handshake. On the other hand the key_state_init is a much more logical place and with the [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1nhuIM-0005dg-60 Subject: [Openvpn-devel] [PATCH 16/28] Move CRL reload to key_state_init from S_START transition X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The current place that we reload is a bit more efficient since it only triggers reload after a completed 3way handshake. On the other hand the key_state_init is a much more logical place and with the upcoming HMAC based UDP code and TCP code, the initialisation will only be done after a 3way handshake. Acked-by: Antonio Quartulli --- src/openvpn/ssl.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 097be8c02..d7fec0276 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -958,6 +958,17 @@ key_state_init(struct tls_session *session, struct key_state *ks) #ifdef ENABLE_MANAGEMENT ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++; #endif + + /* + * Attempt CRL reload before TLS negotiation. Won't be performed if + * the file was not modified since the last reload + */ + if (session->opt->crl_file + && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) + { + tls_ctx_reload_crl(&session->opt->ssl_ctx, + session->opt->crl_file, session->opt->crl_file_inline); + } } @@ -2512,20 +2523,8 @@ tls_process_state(struct tls_multi *multi, ks->state = S_START; state_change = true; - /* - * Attempt CRL reload before TLS negotiation. Won't be performed if - * the file was not modified since the last reload - */ - if (session->opt->crl_file - && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) - { - tls_ctx_reload_crl(&session->opt->ssl_ctx, - session->opt->crl_file, session->opt->crl_file_inline); - } - /* New connection, remove any old X509 env variables */ tls_x509_clear_env(session->opt->es); - dmsg(D_TLS_DEBUG_MED, "STATE S_START"); }