From patchwork Sat Dec 24 19:42:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 4 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133852dyk; Sat, 24 Dec 2022 11:43:56 -0800 (PST) X-Google-Smtp-Source: AMrXdXu8QnITRdB6oIlhNwaN21zVxXbOpTwTjRJBxx/DGgAynaUs+jrVYFS057uP1BCsGHbbpEee X-Received: by 2002:a05:6a20:49b0:b0:9d:efbe:2082 with SMTP id fs48-20020a056a2049b000b0009defbe2082mr14236456pzb.56.1671911036041; Sat, 24 Dec 2022 11:43:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671911036; cv=none; d=google.com; s=arc-20160816; b=c13LkTODZeqhcf8lNcqIatejCrNW/YyuStk1j1tW/1eo0PUtxOeAh2aSrYqYwn4wE2 OQdZ0WVTOYeCT1udw3Qpdrru5H8MLdN3aX3yQf+7qdev8aoHul3iA5oSrkfTG8mE+Sb4 JPPhCkDbmw8JAgsPGZTADe+mLF2jFCaVOPCLz/2W4hj93AKDGyMqX4bM6b6gAJAgAYRh 1/ZNEvnDfA/rhHdMkBzSujAGgX4uJpIjiv+u5wIhcd549LY6+4viXcfqvEOa7zgHXqfF dMART4rD6LnuhopDJ2GWxFNVqp64Te1QTVPRIqhQ+yBgWPMQ0Og3pSJBBnPtOrXHchZP IRzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=hg2jfvGC2NeeXG3mnumGKtRqhlyVukXiApro/VomLss=; b=xulCAPJuOe+8sshiVOyQorFzTZhKjLQ0xKhgBVbX+Q5N/Fdb/+H07uy8ixRY2AYiTw hFNhbhk3az4ifte6uwMozep3budJQspt3AS+5ye53dVONkGctIYQ4mj2u2y73yQEOaTj WUnuCVGriy8FHE2c4503xp8fN3ORWQodfosrP79jnqOjID4tZ5N8EpwLvsjTylLOJJEK Tk6TTKW/ELF9o4qPoWC7Zhlh8YN3o9ZUmqOozVxRBKhGRwsgI/cpeleWiJDPByiy+0px 90D9c8fS+9zAQOQkHc2atsh4JnPORGmi5iWdtQ8KfkJ22RRIjDKRmze0/GQ2pFep4+ty EtwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mbdf7ErA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=QL1HO3FD; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id l64-20020a638843000000b0046eb96c4f90si4869839pgd.549.2022.12.24.11.43.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 24 Dec 2022 11:43:56 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mbdf7ErA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=QL1HO3FD; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1p9AQJ-0000CD-Hv; Sat, 24 Dec 2022 19:43:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1p9AQE-0000Be-U1 for openvpn-devel@lists.sourceforge.net; Sat, 24 Dec 2022 19:43:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=B5Bg5t5bvIY0em2jRw45U3QyfFevSWcl+Tx4ik44v5Q=; b=mbdf7ErAFaMtkRYnx3F4o/CRXL PlUisCOQ5qR2zhIf40MS34R+KPmkIbGkge9dDNpxwsrJFytbuXeMPVff0TQMNw7XaEd+/1KHxmMjg qNbBz7aJzB9xvQJ9CCJzLJJOSxFb7XKAXPwUzlhTgFJuGfZ7B88Ju7kO4pImOc+7hi+M=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=B5Bg5t5bvIY0em2jRw45U3QyfFevSWcl+Tx4ik44v5Q=; b=Q L1HO3FD+Z1zChk6kHRI+mbLJrR2v9MvvHNUVqhquIq28/CNL1lkK4KVDF1NGhTmLUdYJrSnspURoq JB3hvlNT93ti1hJuRIYW46TvKtIGN7g9sjbpMHMCf0AerbRMeOPwZHGs74zoNLO4gqCEi6I+onUSK 9PRHaclWQVRMn7xk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1p9AQE-00BPfN-Dx for openvpn-devel@lists.sourceforge.net; Sat, 24 Dec 2022 19:43:06 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1p9AQ1-000H1T-JV for openvpn-devel@lists.sourceforge.net; Sat, 24 Dec 2022 20:42:53 +0100 Received: (nullmailer pid 3202277 invoked by uid 10006); Sat, 24 Dec 2022 19:42:53 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 24 Dec 2022 20:42:44 +0100 Message-Id: <20221224194253.3202231-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is a list of various patches that improve certain corner cases of DCO behaviour or improve. The remaining issues seem to be in the ovpn-dco module and need to fixed there first. Remaining issues [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1p9AQE-00BPfN-Dx Subject: [Openvpn-devel] [PATCH 0/9] Various patches to improve DCO behaviour X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1753125786615881172?= X-GMAIL-MSGID: =?utf-8?q?1753125786615881172?= This is a list of various patches that improve certain corner cases of DCO behaviour or improve. The remaining issues seem to be in the ovpn-dco module and need to fixed there first. Remaining issues in ovpn-dco: - if there are a lot of event, the recvfrom the netlink socket will give a ENOMEM. Using Control-S and Control-Q to temporarily pause the OpenVPN daemon is a reliable way for me to trigger it. - OpenVPN tcp sessions that are gone, especially when doing TCP reset are not notified to the user space - With UDP and bombarding server already when starting up gives me a hard freeze - Unload ovpn-dco sometimes does not work. Getting 'In use by xy ' failures. - Latest FreeBSD dco module seems to be very broken. Reverting latest commit fixes it. Arne Schwabe (9): Rename TM_UNTRUSTED to TM_INITIAL Always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL These two could be smashed into one commit but two makes reviewing easier. They clean up the state machine a bit and by doing so fix an obscore corner case that would not work in p2p dco. Move dco_installed back to link_socket from link_socket.info.actual With the intention of moving back to using normal send/recv instead of using netlink, the special handling of figuring out which peer address uses wht mechansim is no longer necessary. Instead of hunting the bug down, just always use sendto when wanting to send something. Ensure we do not promote a TA_TIMEOUT to a TA_WRITE/TA_READ event with dco Ensures that we do not go to a socket write/read on a DCO installed TCP socket. Also drop incoming dco packet content when dropping the packet otherwise we would not clear the received packet and the dco code would refuse to put a new one there. Do not set nl socket buffer size This does not change anything and is more cosmetic. Bail out when trying to install a TCP socket with residual data to DCO This is something we could probably fix if we spent a lot more time and only ever read as little as possible (i.e. read 2 bytes to know next packet length, and then read only the length of the next packet). But instead of adding a lot of extra code, I rather want to wait for the plans of ovpn-dco and tcp and how the API evolves. Improve logging when seeing a message for an unkown peer Ignore OVPN_DEL_PEER_REASON_USERSPACE to avoid race conditions This commit fixes a race condition that lead to OpenVPN trying to add a peer that already existed. src/openvpn/dco.c | 23 +------- src/openvpn/dco_linux.c | 3 -- src/openvpn/forward.c | 27 ++-------- src/openvpn/forward.h | 30 +++++++++++ src/openvpn/init.c | 2 +- src/openvpn/mtcp.c | 20 +++++-- src/openvpn/mudp.c | 2 +- src/openvpn/multi.c | 45 +++++++++++++--- src/openvpn/socket.c | 8 +-- src/openvpn/socket.h | 11 ++-- src/openvpn/ssl.c | 113 +++++++++++++++------------------------ src/openvpn/ssl.h | 2 +- src/openvpn/ssl_common.h | 2 +- 13 files changed, 144 insertions(+), 144 deletions(-)