From patchwork Mon May 16 08:56:19 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kristof Provost via Openvpn-devel
 <openvpn-devel@lists.sourceforge.net>
X-Patchwork-Id: 2464
X-Patchwork-Delegate: a@unstable.cc
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend41.mail.ord1d.rsapps.net with LMTP
	id gHXPF6OegmIeDQAAqwncew
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Mon, 16 May 2022 14:57:39 -0400
Received: from proxy1.mail.ord1d.rsapps.net ([172.30.191.6])
	by director8.mail.ord1d.rsapps.net with LMTP
	id uFnCHKOegmLPWwAAfY0hYg
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Mon, 16 May 2022 14:57:39 -0400
Received: from smtp25.gate.ord1c ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy1.mail.ord1d.rsapps.net with LMTPS
	id +HobHKOegmI7egAAasrz9Q
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Mon, 16 May 2022 14:57:39 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp25.gate.ord1c.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=netgate.com;
 dmarc=pass (p=none; dis=none) header.from=lists.sourceforge.net
X-Suspicious-Flag: YES
X-Classification-ID: 0e589bd6-d54a-11ec-aede-b8ca3a673c88-1-1
Received: from [216.105.38.7] ([216.105.38.7:46002]
 helo=lists.sourceforge.net)
	by smtp25.gate.ord1c.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id A4/CC-03477-3AE92826; Mon, 16 May 2022 14:57:39 -0400
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1nqftb-0006mF-60; Mon, 16 May 2022 18:56:41 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
 (envelope-from <kprovost@netgate.com>) id 1nqftW-0006m4-V7
 for openvpn-devel@lists.sourceforge.net; Mon, 16 May 2022 18:56:37 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=DrLHK2cquWL14qlW3ApW9BvrPdsjMecP8HGO7UYIepA=; b=WQ8BCPsKJb9rH6r+A5jdZcwuV8
 kA5Zgv3PqmCPJi5N51mTeHGSlozyC8GqVTvI858O+TnrF8zAY3HxYkwi6OtpAV/lU+jI1r9ViswFQ
 TbyLNT5+xH4qO3AzSKqUVcb1suiL8e85ns9DxuI/SDoIfvtWs4SyQu5x9vebnp9Syi9k=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=DrLHK2cquWL14qlW3ApW9BvrPdsjMecP8HGO7UYIepA=; b=An1g5k/bVXGI+M47UEPcbcRiqD
 39zumyM3VKUWUO16Mvd2vyzt2RLZAcjyWgGrDMRcwYnrFR4mJs0Q6x+K/DvJA1Hcq8y0sqrLZBgiV
 q7fLcjrD/45PrxVh/8+CkEjMCg3PA6r4pyof6cZfpbT4ztVuOCyxp7H62+6WilZ6qm2k=;
Received: from mail-wm1-f47.google.com ([209.85.128.47])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2)
 id 1nqftR-0006Uh-EV
 for openvpn-devel@lists.sourceforge.net; Mon, 16 May 2022 18:56:37 +0000
Received: by mail-wm1-f47.google.com with SMTP id
 a14-20020a7bc1ce000000b00393fb52a386so126763wmj.1
 for <openvpn-devel@lists.sourceforge.net>;
 Mon, 16 May 2022 11:56:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netgate.com; s=google;
 h=from:to:subject:date:message-id:in-reply-to:references:mime-version
 :content-transfer-encoding;
 bh=DrLHK2cquWL14qlW3ApW9BvrPdsjMecP8HGO7UYIepA=;
 b=VXZHy+rYqkXgIbjM5nkh+WAxfkquP5YE991llh+l6otPAo/Kopc6r3Zm8M+kj+4nAT
 Ynd3qLSq9fOYrJgstQrpQjfP7oLGXSZYZTVONFYVCme/NFCaUZClss2kDcpSzzCdwzyt
 6h7rbI1FCD1zRLIVlGR4dLkn8IsJuVVnFDJVs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=DrLHK2cquWL14qlW3ApW9BvrPdsjMecP8HGO7UYIepA=;
 b=M7t+U9qSqyrxEmrx3GQJWqsRXV2+9Xi80zTn3lzcFYHzrzo4zM+TPvwaxrJs6c+z0t
 bp7wcAXioLzLqoleq8vrxdw3UhEGNO+S4L6AZud1ENMRHMMxqEyyDQwkCkcBEAJ5cdOJ
 5wpSUIbw/nv4dsSE8/yYzevVVF1ZARk6Vso7iL8DrwTLDXnCQq+Yq0S3sgyu83WWL7fG
 bDd0jXcrmT7hW8LzVz5jqcY56Khv8hT+cgAut3wKKCpO60qoe4+Ovi9wNgJrUuBYBnA2
 ceQbcQRLMKwIp+vS/R3gcOKdNbvBLOeGii1e9Zd2KSpBluoItrGcqHwDM/n6eZYXPb8d
 QwTg==
X-Gm-Message-State: AOAM5328ZDqKX/2rnZykNqa5lEQ/9yDiVLaCv8z9FD5YWrQa4HiVHsjd
 MCf5yMy8cPUGOAhA0LSCTzcSVV8+pafs+Q==
X-Google-Smtp-Source: 
 ABdhPJzVi/jPHDVBiJwDehF10X658pM2EzGw7KI6vAKy+rVyciFjKfQF0Jp86AuvV7kjmmzxcWjGRA==
X-Received: by 2002:a05:600c:1d95:b0:394:5d0d:6f70 with SMTP id
 p21-20020a05600c1d9500b003945d0d6f70mr17881162wms.48.1652727386538;
 Mon, 16 May 2022 11:56:26 -0700 (PDT)
Received: from nut.jupiter.sigsegv.be
 (ptr-8rgvk5277arubwggeqg.18120a2.ip6.access.telenet.be.
 [2a02:1811:240d:2900:f602:70ff:feae:6e98])
 by smtp.googlemail.com with ESMTPSA id
 14-20020a05600c24ce00b003942a244ee1sm40075wmu.38.2022.05.16.11.56.25
 for <openvpn-devel@lists.sourceforge.net>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 16 May 2022 11:56:25 -0700 (PDT)
To: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Date: Mon, 16 May 2022 20:56:19 +0200
Message-Id: <20220516185621.6182-3-kprovost@netgate.com>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220516185621.6182-1-kprovost@netgate.com>
References: <20220516185621.6182-1-kprovost@netgate.com>
MIME-Version: 1.0
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Kristof Provost <kp@FreeBSD.org> We must create the
 peer before we can dco_set_peer or dco_new_key. On the other hand, we must
 first process options, because those may change our peer id and we should
 create the peer with the correct [...]
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.128.47 listed in list.dnswl.org]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.128.47 listed in wl.mailspike.net]
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
X-Headers-End: 1nqftR-0006Uh-EV
Subject: [Openvpn-devel] [PATCH 2/4] rework do_up() for correct order of DCO
 operations
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
X-Patchwork-Original-From: Kristof Provost via Openvpn-devel
 <openvpn-devel@lists.sourceforge.net>
From: Kristof Provost via Openvpn-devel <openvpn-devel@lists.sourceforge.net>
Reply-To: Kristof Provost <kprovost@netgate.com>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

From: Kristof Provost <kp@FreeBSD.org>

We must create the peer before we can dco_set_peer or dco_new_key.
On the other hand, we must first process options, because those may
change our peer id and we should create the peer with the correct id.

Split up do_deferred_options() in do_deferred_options() and
finish_options(). Call any DCO configuration operations (i.e.
dco_set_peer()/dco_new_key()) after we've created the peer (i.e.
dco_new_peer()).

Signed-off-by: Kristof Provost <kprovost@netgate.com>
---
 src/openvpn/init.c  | 112 +++++++++++++++++++++++++-------------------
 src/openvpn/init.h  |   2 +
 src/openvpn/multi.c |   2 +
 3 files changed, 68 insertions(+), 48 deletions(-)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index a6c93038..0d991ba4 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2093,26 +2093,26 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
             }
         }
 
-        if ((c->mode == MODE_POINT_TO_POINT) && c->c2.did_open_tun)
+        if (pulled_options)
         {
-            /* ovpn-dco requires adding the peer now, before any option can be set */
-            int ret = dco_p2p_add_new_peer(c);
-            if (ret < 0)
+            if (!do_deferred_options(c, option_types_found))
             {
-                msg(D_DCO, "Cannot add peer to DCO: %s", strerror(-ret));
+                msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
                 return false;
             }
         }
-
-        if (pulled_options)
+        if (c->mode == MODE_POINT_TO_POINT)
         {
-            if (!do_deferred_options(c, option_types_found))
+            /* ovpn-dco requires adding the peer now, before any option can be set */
+            int ret = dco_p2p_add_new_peer(c);
+            if (ret < 0)
             {
-                msg(D_PUSH_ERRORS, "ERROR: Failed to apply push options");
+                msg(D_DCO, "Cannot add peer to DCO: %s", strerror(-ret));
                 return false;
             }
         }
-        else if (c->mode == MODE_POINT_TO_POINT)
+
+        if (!pulled_options && c->mode == MODE_POINT_TO_POINT)
         {
             if (!do_deferred_p2p_ncp(c))
             {
@@ -2121,6 +2121,13 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
             }
         }
 
+
+        if (!finish_options(c))
+        {
+            msg(D_TLS_ERRORS, "ERROR: Failed to finish option processing");
+            return false;
+        }
+
         if (c->c2.did_open_tun)
         {
             c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
@@ -2337,49 +2344,58 @@ do_deferred_options(struct context *c, const unsigned int found)
         {
             return false;
         }
-        struct frame *frame_fragment = NULL;
+    }
+
+    return true;
+}
+
+bool
+finish_options(struct context *c)
+{
+    if (!c->options.pull || !dco_enabled(&c->options))
+    {
+        return true;
+    }
+
+    struct frame *frame_fragment = NULL;
 #ifdef ENABLE_FRAGMENT
-        if (c->options.ce.fragment)
-        {
-            frame_fragment = &c->c2.frame_fragment;
-        }
+    if (c->options.ce.fragment)
+    {
+        frame_fragment = &c->c2.frame_fragment;
+    }
 #endif
 
-        struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
-        if (!tls_session_update_crypto_params(c->c2.tls_multi, session,
-                                              &c->options, &c->c2.frame,
-                                              frame_fragment,
-                                              get_link_socket_info(c)))
-        {
-            msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
-            return false;
-        }
+    struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
+    if (!tls_session_update_crypto_params(c->c2.tls_multi, session,
+                                          &c->options, &c->c2.frame,
+                                          frame_fragment,
+                                          get_link_socket_info(c)))
+    {
+        msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
+        return false;
+    }
 
-        if (dco_enabled(&c->options))
-        {
-            /* Check if the pushed options are compatible with DCO if we have
-             * DCO enabled */
-            if (!check_dco_pull_options(&c->options))
-            {
-                msg(D_TLS_ERRORS, "OPTIONS ERROR: pushed options are incompatible with "
-                    "data channel offload. Use --disable-dco to connect"
-                    "to this server");
-                return false;
-            }
+    /* Check if the pushed options are compatible with DCO if we have
+     * DCO enabled */
+    if (!check_dco_pull_options(&c->options))
+    {
+        msg(D_TLS_ERRORS, "OPTIONS ERROR: pushed options are incompatible with "
+            "data channel offload. Use --disable-dco to connect"
+            "to this server");
+        return false;
+    }
 
-            if (c->options.ping_send_timeout || c->c2.frame.mss_fix)
-            {
-                int ret = dco_set_peer(&c->c1.tuntap->dco,
-                                       c->c2.tls_multi->peer_id,
-                                       c->options.ping_send_timeout,
-                                       c->options.ping_rec_timeout,
-                                       c->c2.frame.mss_fix);
-                if (ret < 0)
-                {
-                    msg(D_DCO, "Cannot set DCO peer: %s", strerror(-ret));
-                    return false;
-                }
-            }
+    if (c->options.ping_send_timeout || c->c2.frame.mss_fix)
+    {
+        int ret = dco_set_peer(&c->c1.tuntap->dco,
+                               c->c2.tls_multi->peer_id,
+                               c->options.ping_send_timeout,
+                               c->options.ping_rec_timeout,
+                               c->c2.frame.mss_fix);
+        if (ret < 0)
+        {
+            msg(D_DCO, "Cannot set DCO peer: %s", strerror(-ret));
+            return false;
         }
     }
     return true;
diff --git a/src/openvpn/init.h b/src/openvpn/init.h
index 1c341da3..5cc2a990 100644
--- a/src/openvpn/init.h
+++ b/src/openvpn/init.h
@@ -97,6 +97,8 @@ void reset_coarse_timers(struct context *c);
 
 bool do_deferred_options(struct context *c, const unsigned int found);
 
+bool finish_options(struct context *c);
+
 void inherit_context_child(struct context *dest,
                            const struct context *src);
 
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 958712f1..47e1c6cc 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2452,6 +2452,8 @@ multi_client_connect_late_setup(struct multi_context *m,
         mi->context.c2.tls_multi->multi_state = CAS_FAILED;
     }
 
+    finish_options(&mi->context);
+
     /* send push reply if ready */
     if (mi->context.c2.push_request_received)
     {