From patchwork Thu Jun 23 22:37:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2527 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id AJ4BMzF4tWKjTwAAqwncew (envelope-from ) for ; Fri, 24 Jun 2022 04:39:13 -0400 Received: from proxy10.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id 2ObvMjF4tWL9PQAAvGGmqA (envelope-from ) for ; Fri, 24 Jun 2022 04:39:13 -0400 Received: from smtp18.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.ord1d.rsapps.net with LMTPS id kIhaMjF4tWIjTwAAfSg8FQ (envelope-from ) for ; Fri, 24 Jun 2022 04:39:13 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp18.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 1fcde96c-f399-11ec-9405-5254005167a7-1-1 Received: from [216.105.38.7] ([216.105.38.7:60850] helo=lists.sourceforge.net) by smtp18.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 2B/44-32138-13875B26; Fri, 24 Jun 2022 04:39:13 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1o4epT-0000zM-VT; Fri, 24 Jun 2022 08:38:16 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1o4epO-0000ye-R8 for openvpn-devel@lists.sourceforge.net; Fri, 24 Jun 2022 08:38:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=w3NCq/drePEUs+GUA0au5mZcHsJ46DTW4O1ehIBmLaM=; b=UAZXzSUq+OThITBPxgxR9/AK9X ZcbSuFG0f0VScxT0xT9vS0YIle7clNEmiRqg45r75j1lDMGwqS6JTuP6GhX/lTiPqbnoMPeCzKUbp MnCIpAhtUe8cQtN/gp3iTtFlwNkcHNqUYpplUOVD8ATkI00Xvlnzz2SExfbuUDJvNT9k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=w3NCq/drePEUs+GUA0au5mZcHsJ46DTW4O1ehIBmLaM=; b=guHCiwgpZ00JgzPo00SKRLIwz5 Eqavtt5i92rGgEY/JL/y4xcoSa3SjKvIZAi3hhj79C169LJeIjN00/mvnjywk2tGdoa8lO8a93HO5 4X4YW4m2cIT1ltjdoWU36GDFZmiR+z9TeMucdPfCDmV/qU+SXACqjGQ7oV+OKLpLmadA=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1o4epO-00C2Ox-Je for openvpn-devel@lists.sourceforge.net; Fri, 24 Jun 2022 08:38:11 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Fri, 24 Jun 2022 10:37:50 +0200 Message-Id: <20220624083809.23487-7-a@unstable.cc> In-Reply-To: <20220624083809.23487-1-a@unstable.cc> References: <20220624083809.23487-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Antonio Quartulli --- src/openvpn/init.c | 49 ++++++++++++++++++++++++++++++++-------- src/openvpn/ssl_common.h | 23 +++++++++++++++++++ 2 files changed, 63 insertions(+ [...] Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1o4epO-00C2Ox-Je Subject: [Openvpn-devel] [PATCH 06/25] dco: initialize context and save pointer in TLS object X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- src/openvpn/init.c | 49 ++++++++++++++++++++++++++++++++-------- src/openvpn/ssl_common.h | 23 +++++++++++++++++++ 2 files changed, 63 insertions(+), 9 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 7099eba4..7ab2c9a2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -55,6 +55,7 @@ #include "auth_token.h" #include "mss.h" #include "mudp.h" +#include "dco.h" #include "memdbg.h" @@ -1295,15 +1296,23 @@ do_init_timers(struct context *c, bool deferred) } /* initialize pings */ - - if (c->options.ping_send_timeout) + if (dco_enabled(&c->options)) { - event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0); + /* The DCO kernel module will send the pings instead of user space */ + event_timeout_clear(&c->c2.ping_rec_interval); + event_timeout_clear(&c->c2.ping_send_interval); } - - if (c->options.ping_rec_timeout) + else { - event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); + if (c->options.ping_send_timeout) + { + event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0); + } + + if (c->options.ping_rec_timeout) + { + event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); + } } if (!deferred) @@ -1708,6 +1717,12 @@ do_open_tun(struct context *c) /* initialize (but do not open) tun/tap object */ do_init_tun(c); + /* inherit the dco context from the tuntap object */ + if (c->c2.tls_multi) + { + c->c2.tls_multi->dco = &c->c1.tuntap->dco; + } + #ifdef _WIN32 /* store (hide) interactive service handle in tuntap_options */ c->c1.tuntap->options.msg_channel = c->options.msg_channel; @@ -1756,6 +1771,11 @@ do_open_tun(struct context *c) /* Store the old fd inside the fd so open_tun can use it */ c->c1.tuntap->fd = oldtunfd; #endif + if (dco_enabled(&c->options)) + { + ovpn_dco_init(c->mode, &c->c1.tuntap->dco); + } + /* open the tun device */ open_tun(c->options.dev, c->options.dev_type, c->options.dev_node, c->c1.tuntap, &c->net_ctx); @@ -2979,12 +2999,20 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } } + /* let the TLS engine know if keys have to be installed in DCO or not */ + to.disable_dco = !dco_enabled(options); + /* * Initialize OpenVPN's master TLS-mode object. */ if (flags & CF_INIT_TLS_MULTI) { c->c2.tls_multi = tls_multi_init(&to); + /* inherit the dco context from the tuntap object */ + if (c->c1.tuntap) + { + c->c2.tls_multi->dco = &c->c1.tuntap->dco; + } } if (flags & CF_INIT_TLS_AUTH_STANDALONE) @@ -4365,15 +4393,18 @@ inherit_context_child(struct context *dest, #endif /* context init */ + + /* inherit tun/tap interface object now as it may be required + * to initialize the DCO context in init_instance() + */ + dest->c1.tuntap = src->c1.tuntap; + init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP); if (IS_SIG(dest)) { return; } - /* inherit tun/tap interface object */ - dest->c1.tuntap = src->c1.tuntap; - /* UDP inherits some extra things which TCP does not */ if (dest->mode == CM_CHILD_UDP) { diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index cef2611b..83373a97 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -167,6 +167,12 @@ enum auth_deferred_result { ACF_FAILED /**< deferred auth has failed */ }; +enum dco_key_status { + DCO_NOT_INSTALLED, + DCO_INSTALLED_PRIMARY, + DCO_INSTALLED_SECONDARY +}; + /** * Security parameter state of one TLS and data channel %key session. * @ingroup control_processor @@ -197,6 +203,12 @@ struct key_state */ int key_id; + /** + * Key id for this key_state, inherited from struct tls_session. + * @see tls_multi::peer_id. + */ + uint32_t peer_id; + struct key_state_ssl ks_ssl; /* contains SSL object and BIOs for the control channel */ time_t initial; /* when we created this session */ @@ -241,6 +253,8 @@ struct key_state struct auth_deferred_status plugin_auth; struct auth_deferred_status script_auth; + + enum dco_key_status dco_status; }; /** Control channel wrapping (--tls-auth/--tls-crypt) context */ @@ -404,6 +418,8 @@ struct tls_options const char *ekm_label; size_t ekm_label_size; size_t ekm_size; + + bool disable_dco; /**< Whether keys have to be installed in DCO or not */ }; /** @addtogroup control_processor @@ -636,6 +652,13 @@ struct tls_multi /**< Array of \c tls_session objects * representing control channel * sessions with the remote peer. */ + + /* Only used when DCO is used to remember how many keys we installed + * for this session */ + int dco_keys_installed; + bool dco_peer_added; + + dco_context_t *dco; }; /** gets an item of \c key_state objects in the