From patchwork Thu Jul 28 09:47:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2613 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4JScDAHo4mK/SQAAIUCqbw (envelope-from ) for ; Thu, 28 Jul 2022 15:48:17 -0400 Received: from proxy12.mail.iad3b.rsapps.net ([172.31.255.6]) by director10.mail.ord1d.rsapps.net with LMTP id IP/ZCwHo4mLALAAApN4f7A (envelope-from ) for ; Thu, 28 Jul 2022 15:48:17 -0400 Received: from smtp21.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.iad3b.rsapps.net with LMTPS id +BJdBgHo4mKbZgAAEsW3lA (envelope-from ) for ; Thu, 28 Jul 2022 15:48:17 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp21.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 38aefbd0-0eae-11ed-ae54-525400cdc90a-1-1 Received: from [216.105.38.7] ([216.105.38.7:58338] helo=lists.sourceforge.net) by smtp21.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 57/27-09126-008E2E26; Thu, 28 Jul 2022 15:48:16 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1oH9TW-00029L-7e; Thu, 28 Jul 2022 19:47:14 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oH9TV-00029F-Pf for openvpn-devel@lists.sourceforge.net; Thu, 28 Jul 2022 19:47:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=YeZ0OP0Xoj9qB5vArRMRZi/2uBa0ws6eg8RW46x6vso=; b=TG/TvzSBetplG0OnX7Uyk1igOA hwINjZWMnYejqgnstPhU4pxEC/vk532EZo3ZToTiFUxdC/lKlzpKEjoW/4/fxPC3VmZd1uIS9nWSo wXPwJGpzOi07JZBy/+Zp0yDQLhq62CpA+hYNYkAM5VOeewDLPgRcFnHfxT3J7as6kPnU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=YeZ0OP0Xoj9qB5vArRMRZi/2uBa0ws6eg8RW46x6vso=; b=mMkme1S0P3ZZkC4udq4qAx534P sWK/9drGMzqZX92LmalgPJd7N8wRnwry62n4+oQiJhx2lE5J6hQ8KPsvptZexkFO5yDU1tsqGmLWJ M+6lyjx7aYWEwHXPh6aEQkK//ZsNhQKpL7Ff94Ehgn+j0jI7zZAI5N5tEAOE/Pbl/c1A=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1oH9TU-0000n2-2K for openvpn-devel@lists.sourceforge.net; Thu, 28 Jul 2022 19:47:13 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Thu, 28 Jul 2022 21:47:33 +0200 Message-Id: <20220728194733.27721-1-a@unstable.cc> In-Reply-To: <20220624083809.23487-12-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: DCO will try to install keys upon generating them, however, this happens when parsing pushed cipher options (due to NCP). For this reason we need to postpone parsing pushed cipher options to *after* the tunnel interface has been opened, otherwise we would have no DCO netdev object to operate on. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1oH9TU-0000n2-2K Subject: [Openvpn-devel] [PATCH v2 11/25] dco: split option parsing routines X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox DCO will try to install keys upon generating them, however, this happens when parsing pushed cipher options (due to NCP). For this reason we need to postpone parsing pushed cipher options to *after* the tunnel interface has been opened, otherwise we would have no DCO netdev object to operate on. At the same time we split the parsing code, so that we can ensure that the NEW_PEER call can happen after the received peer-id has been parsed (it is required by all DCO API calls). Signed-off-by: Antonio Quartulli --- Changes from v1: * removed error message in case of failure of finish_options(). The latter already warns the user about the failure - no need to print another generic message. --- src/openvpn/init.c | 57 ++++++++++++++++++++++++++++----------------- src/openvpn/init.h | 2 ++ src/openvpn/multi.c | 7 ++++++ 3 files changed, 44 insertions(+), 22 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 338d797b..db42d540 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2093,14 +2093,6 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) return false; } } - else if (c->mode == MODE_POINT_TO_POINT) - { - if (!do_deferred_p2p_ncp(c)) - { - msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options"); - return false; - } - } /* if --up-delay specified, open tun, do ifconfig, and run up script now */ if (c->options.up_delay || PULL_DEFINED(&c->options)) @@ -2127,6 +2119,20 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) } } + if (!pulled_options && c->mode == MODE_POINT_TO_POINT) + { + if (!do_deferred_p2p_ncp(c)) + { + msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options"); + return false; + } + } + + if (!finish_options(c)) + { + return false; + } + if (c->c2.did_open_tun) { c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; @@ -2332,23 +2338,30 @@ do_deferred_options(struct context *c, const unsigned int found) { return false; } - struct frame *frame_fragment = NULL; + } + + return true; +} + +bool +finish_options(struct context *c) +{ + struct frame *frame_fragment = NULL; #ifdef ENABLE_FRAGMENT - if (c->options.ce.fragment) - { - frame_fragment = &c->c2.frame_fragment; - } + if (c->options.ce.fragment) + { + frame_fragment = &c->c2.frame_fragment; + } #endif - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - if (!tls_session_update_crypto_params(c->c2.tls_multi, session, - &c->options, &c->c2.frame, - frame_fragment, - get_link_socket_info(c))) - { - msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); - return false; - } + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + if (!tls_session_update_crypto_params(c->c2.tls_multi, session, + &c->options, &c->c2.frame, + frame_fragment, + get_link_socket_info(c))) + { + msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); + return false; } return true; diff --git a/src/openvpn/init.h b/src/openvpn/init.h index 5f412a33..9389e0db 100644 --- a/src/openvpn/init.h +++ b/src/openvpn/init.h @@ -97,6 +97,8 @@ void reset_coarse_timers(struct context *c); bool do_deferred_options(struct context *c, const unsigned int found); +bool finish_options(struct context *c); + void inherit_context_child(struct context *dest, const struct context *src); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index c72575ae..34ab90b4 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2405,6 +2405,13 @@ multi_client_connect_late_setup(struct multi_context *m, { mi->context.c2.tls_multi->multi_state = CAS_FAILED; } + /* Continue processing options only if authentication hasn't failed. + * Otherwise it does not make sense and we may operate on a non-configured + * client instance */ + else + { + finish_options(&mi->context); + } /* send push reply if ready */ if (mi->context.c2.push_request_received)