From patchwork Tue Aug 2 22:51:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2621 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.54]) by backend30.mail.ord1d.rsapps.net with LMTP id +CtCMDk36mLwLAAAIUCqbw (envelope-from ) for ; Wed, 03 Aug 2022 04:52:09 -0400 Received: from proxy16.mail.iad3a.rsapps.net ([172.27.255.54]) by director8.mail.ord1d.rsapps.net with LMTP id WNU4MDk36mIYTgAAfY0hYg (envelope-from ) for ; Wed, 03 Aug 2022 04:52:09 -0400 Received: from smtp16.gate.iad3a ([172.27.255.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.iad3a.rsapps.net with LMTPS id 4BNHKTk36mK0MwAADc5QwQ (envelope-from ) for ; Wed, 03 Aug 2022 04:52:09 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp16.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 8dde0a74-1309-11ed-a1a8-5254004ee196-1-1 Received: from [216.105.38.7] ([216.105.38.7:54958] helo=lists.sourceforge.net) by smtp16.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F5/D4-02781-7373AE26; Wed, 03 Aug 2022 04:52:08 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1oJA5k-00051z-4f; Wed, 03 Aug 2022 08:51:00 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oJA5j-00051F-Df for openvpn-devel@lists.sourceforge.net; Wed, 03 Aug 2022 08:50:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GPA4h3O2uSC3k/e+t2DCG9YmrQTPViuMy4AriMB/u/Q=; b=EnOk2M+lP4MbnCQHw+Y49s9odm QcMPABPZg89SfBtZ5k0Qa/2x/qfl3dMSahH3qx8aghGo1sOXxu8CpalwuKvxXyLkPFsQ3QYSERrMA syEUWPaLTQrJjbS1VK9Ce1HGZiWA++W/I0vjhfhnoFfV3aZ+XoiaM9zJVekIlwnnXlrg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GPA4h3O2uSC3k/e+t2DCG9YmrQTPViuMy4AriMB/u/Q=; b=OLaRHRQ5Sc0QekquNTNSm4vKvz Wy90No3tuxJF1v4/r3iyYVp3D0G8qfOOLxpFcx/TRWyI6XlGQCtMGS3zQYszmNHAW5tzpmSYFjVY2 PJjwtTmoIq4c91SAhUucTac34FbehaKXDxvc7Wf+EUBSiTXHozYUms8nnDxhqNsb807M=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1oJA5e-0000ya-Hj for openvpn-devel@lists.sourceforge.net; Wed, 03 Aug 2022 08:50:59 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Wed, 3 Aug 2022 10:51:14 +0200 Message-Id: <20220803085114.15117-1-a@unstable.cc> In-Reply-To: <20220728194733.27721-1-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: DCO will try to install keys upon generating them, however, this happens when parsing pushed cipher options (due to NCP). For this reason we need to postpone parsing pushed cipher options to *after* the tunnel interface has been opened, otherwise we would have no DCO netdev object to operate on. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1oJA5e-0000ya-Hj Subject: [Openvpn-devel] [PATCH v3 11/25] dco: split option parsing routines X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox DCO will try to install keys upon generating them, however, this happens when parsing pushed cipher options (due to NCP). For this reason we need to postpone parsing pushed cipher options to *after* the tunnel interface has been opened, otherwise we would have no DCO netdev object to operate on. At the same time we split the parsing code, so that we can ensure that the NEW_PEER call can happen after the received peer-id has been parsed (it is required by all DCO API calls). Signed-off-by: Antonio Quartulli --- Changes from v2: * rename finish_options() to do_deferred_options_part2() * add comments to explain why this new function is required * remove invocation in multi.c: we already perform key generation as last step Changes from v1: * removed error message in case of failure of finish_options(). The latter already warns the user about the failure - no need to print another generic message. --- src/openvpn/init.c | 70 +++++++++++++++++++++++++++++----------------- 1 file changed, 45 insertions(+), 25 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 338d797b..7ded843e 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2078,6 +2078,37 @@ options_hash_changed_or_zero(const struct sha256_digest *a, || !memcmp(a, &zero, sizeof(struct sha256_digest)); } +/** + * This function is expected to be invoked after open_tun() was performed. + * + * This kind of behaviour is required by DCO, because the following operations + * can be done only after the DCO device was created and the new peer was + * properly added. + */ +static bool +do_deferred_options_part2(struct context *c) +{ + struct frame *frame_fragment = NULL; +#ifdef ENABLE_FRAGMENT + if (c->options.ce.fragment) + { + frame_fragment = &c->c2.frame_fragment; + } +#endif + + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + if (!tls_session_update_crypto_params(c->c2.tls_multi, session, + &c->options, &c->c2.frame, + frame_fragment, + get_link_socket_info(c))) + { + msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); + return false; + } + + return true; +} + bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found) { @@ -2093,14 +2124,6 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) return false; } } - else if (c->mode == MODE_POINT_TO_POINT) - { - if (!do_deferred_p2p_ncp(c)) - { - msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options"); - return false; - } - } /* if --up-delay specified, open tun, do ifconfig, and run up script now */ if (c->options.up_delay || PULL_DEFINED(&c->options)) @@ -2127,6 +2150,20 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) } } + if (!pulled_options && c->mode == MODE_POINT_TO_POINT) + { + if (!do_deferred_p2p_ncp(c)) + { + msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options"); + return false; + } + } + + if (!do_deferred_options_part2(c)) + { + return false; + } + if (c->c2.did_open_tun) { c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; @@ -2332,23 +2369,6 @@ do_deferred_options(struct context *c, const unsigned int found) { return false; } - struct frame *frame_fragment = NULL; -#ifdef ENABLE_FRAGMENT - if (c->options.ce.fragment) - { - frame_fragment = &c->c2.frame_fragment; - } -#endif - - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - if (!tls_session_update_crypto_params(c->c2.tls_multi, session, - &c->options, &c->c2.frame, - frame_fragment, - get_link_socket_info(c))) - { - msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); - return false; - } } return true;