From patchwork Fri May 10 11:07:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "ralf_lici (Code Review)" X-Patchwork-Id: 3709 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6bc5:b0:577:9287:30c5 with SMTP id c5csp285079max; Fri, 10 May 2024 04:08:18 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXN1/779CbIkt92sLgM3TJLNXaQdY9A2wGwzdQaiFnvS0PJasVY3nGcj4tViAQFfKnDXvstXnLEW2fbWmG4l34HYYN6H4c= X-Google-Smtp-Source: AGHT+IGiJZbyU/dL/Cj66iBOGKnsAEPw3JE3ifLXlTgHPfi2QMs50PqnMBI3Nn6DbXIr+ggPD5Od X-Received: by 2002:a05:6a21:32a7:b0:1af:cc80:57b6 with SMTP id adf61e73a8af0-1afde201b83mr2887689637.3.1715339297919; Fri, 10 May 2024 04:08:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715339297; cv=none; d=google.com; s=arc-20160816; b=ti1aFFt1fSNLblwJ4XUamrIF3G598I2tLhAe3/797BKzwGenhMS8UY/D6qXS0huyFt C9ZDqG4S9USeUhmVFNnxZlaCL1z0/c9qVJ7hDMfElvpjj8koom+Qe4MZGpLhWcplLujn YTr0JyLqwJxb9Vlo+knRGZMxuKirfcxy4OzW5Pib5k1PRqHB/KRJyG2aTCqcm4gBt8cx VvSI4XXRYRuesLB0irbtFxgN4qHH6PAhpTZSioTVADZZx/BE5EbDueP+iyY8tiDuh1Lm tM8jQHc9n0FuD7BJoV+5RyzG5zWH9+r6AZPL8f8CsK0NNaE39K+FWVWfZOQSVCHRjUvn NAlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=g5PCq0NYq2yCy8m4MN0iCU6OTAZUsyGPP2bRCVHMRAc=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=L+3vNROkZQAr27fHxAg8Ryxa+Psjw92zjCzQYUXZvDGMXKFU4IQ3hOJQcVnqT5idcW uN5H6nowWpqtXVe3Bn6kvjuzstACYc7xN+JKcB1xJkWRGBazNyOc5OnhCt6I4JNeToc3 XuU40QSIXvYtFSd1mTX9lXKGV7EVSpLxHUGZ07wIwKgETGeDqKVbQ3QzpfwSk86WvIK5 Gfrltb/i5AKu/fApSk2Htjp0Zef8Ype49kn+RdyBjZp1kgf7kG44KYQLcw+aArvFhigH YDO4BItbHy0tvIM58xrM5yBLdnFu2vPOkSBcQTRDcLEhkGUF3kYDRqNbmxY4Du/ZDxBq lXhg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SxsLOfPb; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YW6EU8j7; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b="Cb/wm4tv"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d9443c01a7336-1ef0c26f5dbsi29522145ad.590.2024.05.10.04.08.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 May 2024 04:08:17 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=SxsLOfPb; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=YW6EU8j7; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b="Cb/wm4tv"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1s5O6J-0000Pz-Mu; Fri, 10 May 2024 11:07:43 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1s5O6I-0000Pq-2O for openvpn-devel@lists.sourceforge.net; Fri, 10 May 2024 11:07:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RH1By4cvo9zm1DVovAbLyIkY6SwN20ZtJICSoppG+yY=; b=SxsLOfPbz0mq+VmbT6kfdwRe1/ yk1WSle9WjJw7mAwmsM6C0IDByM31C6slfXsyBi6Egop6TsHHXCmDDhPs4IacNLIZF7rqVVb9CyiJ xTqnyUjVBNmWabZ34ktIjq9JwPrTavzhxItLpl95wRdhDb5FkDmMElkiQpYoQZXQhVZ4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=RH1By4cvo9zm1DVovAbLyIkY6SwN20ZtJICSoppG+yY=; b=Y W6EU8j7h5jMileaAHT3kRlQB1eWMaMh5mTXw9T2aWqYmLBALrZfqaW3clXiJ1AyuKDNkKHyGMomWH SQuYWiPWBQ57HhAj231LPZDknMI7EQyoSUfRzb4u+9/zNzmNZJ/L2QYysvFOHy5vKQj9s/cNYJhFa zMqBwSLPR9QvKses=; Received: from mail-lj1-f181.google.com ([209.85.208.181]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1s5O6G-0000Ml-Nd for openvpn-devel@lists.sourceforge.net; Fri, 10 May 2024 11:07:41 +0000 Received: by mail-lj1-f181.google.com with SMTP id 38308e7fff4ca-2e271acb015so24149851fa.1 for ; Fri, 10 May 2024 04:07:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1715339253; x=1715944053; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=RH1By4cvo9zm1DVovAbLyIkY6SwN20ZtJICSoppG+yY=; b=Cb/wm4tvsVSpZ3uqrSStz2NMGMW3yY8iCCpSQcmtl3lMNdjsocP30qGp+0iy9TIk76 bvWergrd2jzgZW1G17eUTagt4SFmbKSYHBee8ebcCOuDmrVIjBzBdgdB7rRrGTZAHsxs 4JPNITODUa0bEyKdIv0AKEjFu+e4IwHuMW4QL8eGa9T/Qjfat3iItKSoe/0emOJdifHD n+GFmCCoPKj2tbyKAwlqGxBAQxkjD/Cbf1iPwFFrVxsFyakjMwsfVNxXC9MM/+oapNX4 GnX95u7G7WlBXDboVpxPZ2u3Td/0EmTgpnz/F7Kssesq8ybHF+wB56eu8a4V1kKwf642 Imew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715339253; x=1715944053; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RH1By4cvo9zm1DVovAbLyIkY6SwN20ZtJICSoppG+yY=; b=h8Gr9PEVKLVecD4olL1olYpy6lV/qKhF3YfZs8144kti4aS9Gc4lh458b1K3ZBVvYL pUVBXwvh/1f/jkZq0U/O+Nq/X+eN86vB7WBaK7aHar2ouHOAPfvaMVnliLqAMEAcbp7O 6NWhRl3BQqnW5p80D2uErHYLTkE/O0A+HRQFmmDip/UpL6nj6VcRIy3c19BA/qIcRmw1 e//lwzDoDwC45Tg/MlHMdXELZxZz5ZiWG8hYGz7U96pvOdd6z/oN39CXgw/Z2fk7Oryq nesSVB2a0Fy+TopU4CyQIaGPzbHFf+dM4+KnZMZ8KiaXYUtwQlY4MQIw/8I+uSTLdD39 FzIA== X-Gm-Message-State: AOJu0YxcoHGJX0JlrZf2xR3kIqRlTllTPZun+U9wbukJfg8KfwWWnFq6 6DHx2WszJNdm+fdsLU0DtbXLJXf88UO8y/nKkONknsZdF2E2oX8uRM8jEjS4fCyrhLon5FV27pW V X-Received: by 2002:a2e:9297:0:b0:2da:d986:e387 with SMTP id 38308e7fff4ca-2e5204aec91mr12992851fa.50.1715339253008; Fri, 10 May 2024 04:07:33 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-41fa9dbab53sm77151005e9.13.2024.05.10.04.07.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 May 2024 04:07:32 -0700 (PDT) From: "its_Giaan (Code Review)" X-Google-Original-From: "its_Giaan (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 10 May 2024 11:07:32 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ic8538e734dba53cd43fead3961e4401c8037e079 X-Gerrit-Change-Number: 587 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 74219b63ff82184d3371557fc5b74c1e69e24614 References: Message-ID: <115c9e4a18efea0807aafbc9aeabff9911c2ef81-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.181 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.181 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1s5O6G-0000Ml-Nd Subject: [Openvpn-devel] [M] Change in openvpn[master]: Ensures all params are ready before invoking dco_set_peer() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: gianmarco@mandelbit.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1798663619862562577?= X-GMAIL-MSGID: =?utf-8?q?1798663619862562577?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/587?usp=email to review the following change. Change subject: Ensures all params are ready before invoking dco_set_peer() ...................................................................... Ensures all params are ready before invoking dco_set_peer() In UDP case the dco_set_peer() is currently perfomed at the wrong time since the mssfix param is calculated later on in tls_session_update_crypto_params_do_work(). By moving the dco_set_peer() inside the tls_session_update_crypto_params_do_work() we will ensure that all crypto and frame params are properly initialized and if an update occurs dco will be notified. Change-Id: Ic8538e734dba53cd43fead3961e4401c8037e079 Signed-off-by: Gianmarco De Gregori --- M src/openvpn/init.c M src/openvpn/multi.c M src/openvpn/ssl.c M src/openvpn/ssl.h 4 files changed, 34 insertions(+), 22 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/87/587/1 diff --git a/src/openvpn/init.c b/src/openvpn/init.c index ec0c309..b8420ad 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2343,7 +2343,8 @@ if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, - get_link_socket_info(c))) + get_link_socket_info(c), + &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); return false; @@ -2562,7 +2563,8 @@ if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, - get_link_socket_info(c))) + get_link_socket_info(c), + &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher"); return false; diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 162b23e..0425057 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2364,21 +2364,6 @@ return false; } - if (mi->context.options.ping_send_timeout || mi->context.c2.frame.mss_fix) - { - ret = dco_set_peer(&mi->context.c1.tuntap->dco, - mi->context.c2.tls_multi->dco_peer_id, - mi->context.options.ping_send_timeout, - mi->context.options.ping_rec_timeout, - mi->context.c2.frame.mss_fix); - if (ret < 0) - { - msg(D_DCO, "Cannot set DCO peer parameters for %s (id=%u): %s", - multi_instance_string(mi, false, gc), - mi->context.c2.tls_multi->dco_peer_id, strerror(-ret)); - return false; - } - } return true; } @@ -2398,7 +2383,8 @@ struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, - get_link_socket_info(c))) + get_link_socket_info(c), + &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); register_signal(c->sig, SIGUSR1, "process-push-msg-failed"); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 7c49451..fa226f9 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1572,7 +1572,8 @@ struct options *options, struct frame *frame, struct frame *frame_fragment, - struct link_socket_info *lsi) + struct link_socket_info *lsi, + dco_context_t *dco) { if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized) { @@ -1619,6 +1620,25 @@ return false; } } + + if (dco_enabled(options)) + { + int ret; + if (options->ping_send_timeout || frame->mss_fix) + { + ret = dco_set_peer(dco, + multi->dco_peer_id, + options->ping_send_timeout, + options->ping_rec_timeout, + frame->mss_fix); + if (ret < 0) + { + msg(D_DCO, "Cannot set DCO peer parameters for peer (id=%u): %s", + multi->dco_peer_id, strerror(-ret)); + return false; + } + } + } return tls_session_generate_data_channel_keys(multi, session); } @@ -1627,7 +1647,8 @@ struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, - struct link_socket_info *lsi) + struct link_socket_info *lsi, + dco_context_t *dco) { if (!check_session_cipher(session, options)) { @@ -1638,7 +1659,7 @@ session->opt->crypto_flags |= options->imported_protocol_flags; return tls_session_update_crypto_params_do_work(multi, session, options, - frame, frame_fragment, lsi); + frame, frame_fragment, lsi, dco); } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 98e59e8..c0d855a 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -452,6 +452,8 @@ * @param frame_fragment The fragment frame options. * @param lsi link socket info to adjust MTU related options * depending on the current protocol + * @param dco The dco context to perform dco_set_peer() + * whenever a crypto param update occur. * * @return true if updating succeeded or keys are already generated, false otherwise. */ @@ -460,7 +462,8 @@ struct options *options, struct frame *frame, struct frame *frame_fragment, - struct link_socket_info *lsi); + struct link_socket_info *lsi, + dco_context_t *dco); /* * inline functions