From patchwork Thu Dec 3 07:22:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 1538 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id yHNJNDMtyV8bMwAAqwncew (envelope-from ) for ; Thu, 03 Dec 2020 13:23:47 -0500 Received: from proxy14.mail.iad3b.rsapps.net ([172.31.255.6]) by director10.mail.ord1d.rsapps.net with LMTP id OH34MzMtyV/INwAApN4f7A (envelope-from ) for ; Thu, 03 Dec 2020 13:23:47 -0500 Received: from smtp14.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.iad3b.rsapps.net with LMTPS id WDL9LDMtyV+TCAAA+7ETDg (envelope-from ) for ; Thu, 03 Dec 2020 13:23:47 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=fail (p=none; dis=none) header.from=karger.me X-Suspicious-Flag: YES X-Classification-ID: ae7e3e56-3594-11eb-a4e5-52540057873d-1-1 Received: from [216.105.38.7] ([216.105.38.7:48962] helo=lists.sourceforge.net) by smtp14.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 93/D2-26875-33D29CF5; Thu, 03 Dec 2020 13:23:47 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kktFt-0002TM-L6; Thu, 03 Dec 2020 18:23:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kktFs-0002T7-Az for openvpn-devel@lists.sourceforge.net; Thu, 03 Dec 2020 18:23:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FA80P+50wAMJ3DkyP8MtaBURKk7oonn1mbaSFRXljoQ=; b=f8+ttqZ3fua+eGT1wSb72wTzxb 3ky96ok5/8jE+DwlC/aTlkNpJ/064ewJwb+NEyE1RqnqvYR2MTi3bApyfvmiYPbKIXRPpE27xdraH E7iKAjeyZpcvTJy1RwuQChgOVRUQ84s8m6GRDkdIngo0JUoDhhZNpejJivlJgk8ocHdA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FA80P+50wAMJ3DkyP8MtaBURKk7oonn1mbaSFRXljoQ=; b=PkDv8VfcTBGup0bUVmlaLkuC6S j81FKVhMCan0zWVq2p7qBFplG7hX/eRHHCycdTjYFFoSFfGSf3XU5sIqO5Q0YLq+pyFF3J9qsUT3I FmvAGv+ggMsp9Aim7cbcobjnwnM9e5AQZf4CMDow5hOTsTJDap+skEBh6RZueuZ6iW1Y=; Received: from mail-ej1-f68.google.com ([209.85.218.68]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1kktFl-000bFL-Sa for openvpn-devel@lists.sourceforge.net; Thu, 03 Dec 2020 18:23:00 +0000 Received: by mail-ej1-f68.google.com with SMTP id m19so4873414ejj.11 for ; Thu, 03 Dec 2020 10:22:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=FA80P+50wAMJ3DkyP8MtaBURKk7oonn1mbaSFRXljoQ=; b=ogC53mP92ACjvpZetNOc5pPlCBe1NFMYADmzsQgKeLRaSqOGSVOGv8A9sSMhQspNHJ pBKJ1XKBBGOsf52eQUQ4cuihp8TrlR3TkTeCGZNWGsRUm6CYBuOL99Yh/KL+NdRTcX8Y zxo/iBZaSUCDEpTuOHtvdXckypEf8N9NBhoWt5AzsNA1nusYeJ890ruBsS6cTRBgzn09 L1kDgmhMslTPzUDcn7653Az3bVzTZ0Jlo1QVKnTnM/+onRH1xNrClQLvIb7Wrhw42HTw kcRR1KMEdWwg4tMg4Rf4dOF8QArlQcTgpCgPtKltdaoNfsV03hL+byGdWmVL2BJt+f+P Tuig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FA80P+50wAMJ3DkyP8MtaBURKk7oonn1mbaSFRXljoQ=; b=foxBceY58dDOcNkVi3C2RJ54F9lZ7lUC6/azm5KgY/gUJAs1u2ACtTX/YWg2J7umKK 7QTJ1QQ8cJHeqj1FnOT5t9cby37XTpz3e066lESWOnvHX4ZFywI3rAhiFt85Uas9yF1o b4szV/CCs8q7gnyot+cNtw/USrFyrabbexh17QAUB1nsS4vJW3aLpoql7Ll1v719yoiA 3ZxU9iprnD0Ir2cdzkNz1dKxpv2hrnMBO7hiaDcjzwqD4ZWmpYnAcabjoeKaHCVzn8zw sVQnxQE3kxWse842Oo2Wz2U6tzQxmxRshWWX9MsUknfTHZyV43LnJW3eI7nnByTZE+CZ g0dQ== X-Gm-Message-State: AOAM531xYv2FQnBr/VsNKmOQUK21CUjbJqULQ/0kmTqwYNVmAB+kuXHi z0ykeXNHZOA7vASK8tXR81syCoe3/oqsRw== X-Google-Smtp-Source: ABdhPJyBQXkv76fUSYGIwN3PCT4OPgxoNKTqJdSocBsxMSUbA2OMtB4B+JL4SWAu4uhNgTlyy8glgw== X-Received: by 2002:a17:906:1405:: with SMTP id p5mr3594223ejc.282.1607019767233; Thu, 03 Dec 2020 10:22:47 -0800 (PST) Received: from luna.fritz.box ([2001:985:e54:1:4d43:64f5:5b5d:a941]) by smtp.gmail.com with ESMTPSA id x15sm1629159edj.91.2020.12.03.10.22.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Dec 2020 10:22:46 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Thu, 3 Dec 2020 19:22:30 +0100 Message-Id: <20201203182230.33552-1-steffan@karger.me> X-Mailer: git-send-email 2.25.1 In-Reply-To: <53a9d994-312d-4349-33d2-2a0d39f50882@unstable.cc> References: <53a9d994-312d-4349-33d2-2a0d39f50882@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.218.68 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.218.68 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1kktFl-000bFL-Sa Subject: [Openvpn-devel] [PATCH 1/2 v2] tls-crypt-v2: fix server memory leak X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox tls-crypt-v2 was developed in parallel with the changes that allowed to use tls-auth/tls-crypt in connection blocks. The tls-crypt-v2 patch set was never updated to the new reality after commit 5817b49b, causing a memory leak of about 600 bytes for each connecting client. It would be nicer to not reload the tls-crypt-v2 server key for each connecting client, but that requires more refactoring (and thus more time to get right). So for now just plug the leak by free'ing the memory when we close a client connection. To test this easily, compile openvpn with -fsanity=address, run a server with tls-crypt-v2, connect a client, stop the server. Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli --- v2: remove now-redundant free_key_ctx() from key_schedule_free() src/openvpn/init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 27a4170d..c3493c42 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2561,7 +2561,6 @@ key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx) if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) { tls_ctx_free(&ks->ssl_ctx); - free_key_ctx(&ks->tls_crypt_v2_server_key); } CLEAR(*ks); } @@ -3619,6 +3618,7 @@ do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) * always free the tls_auth/crypt key. If persist_key is true, the key will * be reloaded from memory (pre-cached) */ + free_key_ctx(&c->c1.ks.tls_crypt_v2_server_key); free_key_ctx_bi(&c->c1.ks.tls_wrap_key); CLEAR(c->c1.ks.tls_wrap_key); buf_clear(&c->c1.ks.tls_crypt_v2_wkc);