From patchwork Tue Aug 2 23:50:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2622 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id aJEjMwdF6mJ9cwAAIUCqbw (envelope-from ) for ; Wed, 03 Aug 2022 05:51:03 -0400 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id iFj7MgdF6mLpeAAApN4f7A (envelope-from ) for ; Wed, 03 Aug 2022 05:51:03 -0400 Received: from smtp35.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTPS id oKrDMgdF6mJjXgAAyH2SIw (envelope-from ) for ; Wed, 03 Aug 2022 05:51:03 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: c91fba6c-1311-11ed-8c0e-525400a7b7b4-1-1 Received: from [216.105.38.7] ([216.105.38.7:42824] helo=lists.sourceforge.net) by smtp35.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id FC/41-01478-7054AE26; Wed, 03 Aug 2022 05:51:03 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1oJB0v-0003Oa-TF; Wed, 03 Aug 2022 09:50:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oJB0u-0003OT-E0 for openvpn-devel@lists.sourceforge.net; Wed, 03 Aug 2022 09:50:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=3tXhde9dDvbGM69ed4MGt48Nqu8kv9xYuXXcUI+M/jY=; b=iIdfwVhkVrKO9HD7RET4BDCCqz /edrfHmJZIZVwdCGe0CN/TcanY+pk4L4YncqOydpqv93vskX/izS69jPzHFJxuEerYI5tMN9ol5ho RbmlKdV/1Lzh9kfT0iFTwt0Wz2W7yn3EVW9o7UnWhszoV4OBKfr9u/5lc4TuWJ64XGCg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3tXhde9dDvbGM69ed4MGt48Nqu8kv9xYuXXcUI+M/jY=; b=hv74RWcVZbkvxIAY903sVZ6Odc q/11kMPI3hsQvoWfwAm8e2+cJCf05Ej74ghHn0Twgc9bLHnKG0fxaT2n1HG7Egv24UQJ3r9wy7C6a 5x61MQ44a805O7UXy9mtSABh7Wg/NA7IjXDmIWSi0HE33iHYiSdrlw0YbHq4vZCDjZyk=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1oJB0U-0003sN-5D for openvpn-devel@lists.sourceforge.net; Wed, 03 Aug 2022 09:50:03 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Wed, 3 Aug 2022 11:50:12 +0200 Message-Id: <20220803095012.24975-1-a@unstable.cc> In-Reply-To: <20220803085114.15117-1-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: DCO will try to install keys upon generating them, however, this happens when parsing pushed cipher options (due to NCP). For this reason we need to postpone parsing pushed cipher options to *after* the tunnel interface has been opened, otherwise we would have no DCO netdev object to operate on. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1oJB0U-0003sN-5D Subject: [Openvpn-devel] [PATCH v4 11/25] dco: split option parsing routines X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox DCO will try to install keys upon generating them, however, this happens when parsing pushed cipher options (due to NCP). For this reason we need to postpone parsing pushed cipher options to *after* the tunnel interface has been opened, otherwise we would have no DCO netdev object to operate on. At the same time we split the parsing code, so that we can ensure that the NEW_PEER call can happen after the received peer-id has been parsed (it is required by all DCO API calls). Signed-off-by: Antonio Quartulli Acked-by: Gert Doering --- Changes from v3: * call do_deferred_options_part2() only if !pulled_options. This is the same condition that triggered the call to do_deferred_options() in the first place, therefore part2 must follow the same logic. * add extra comment in do_up to explain "step2" after open_tun() Changes from v2: * rename finish_options() to do_deferred_options_part2() * add comments to explain why this new function is required * remove invocation in multi.c: we already perform key generation as last step Changes from v1: * removed error message in case of failure of finish_options(). The latter already warns the user about the failure - no need to print another generic message. --- src/openvpn/init.c | 81 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 56 insertions(+), 25 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 338d797b..de8faeb4 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2078,6 +2078,37 @@ options_hash_changed_or_zero(const struct sha256_digest *a, || !memcmp(a, &zero, sizeof(struct sha256_digest)); } +/** + * This function is expected to be invoked after open_tun() was performed. + * + * This kind of behaviour is required by DCO, because the following operations + * can be done only after the DCO device was created and the new peer was + * properly added. + */ +static bool +do_deferred_options_part2(struct context *c) +{ + struct frame *frame_fragment = NULL; +#ifdef ENABLE_FRAGMENT + if (c->options.ce.fragment) + { + frame_fragment = &c->c2.frame_fragment; + } +#endif + + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + if (!tls_session_update_crypto_params(c->c2.tls_multi, session, + &c->options, &c->c2.frame, + frame_fragment, + get_link_socket_info(c))) + { + msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); + return false; + } + + return true; +} + bool do_up(struct context *c, bool pulled_options, unsigned int option_types_found) { @@ -2093,14 +2124,6 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) return false; } } - else if (c->mode == MODE_POINT_TO_POINT) - { - if (!do_deferred_p2p_ncp(c)) - { - msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options"); - return false; - } - } /* if --up-delay specified, open tun, do ifconfig, and run up script now */ if (c->options.up_delay || PULL_DEFINED(&c->options)) @@ -2127,6 +2150,31 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) } } + /* do_deferred_options_part2() and do_deferred_p2p_ncp() *must* be + * invoked after open_tun(). + * This is required by DCO because we must have created the interface + * and added the peer before we can fiddle with the keys or any other + * data channel per-peer setting. + */ + if (pulled_options) + { + if (!do_deferred_options_part2(c)) + { + return false; + } + } + else + { + if (c->mode == MODE_POINT_TO_POINT) + { + if (!do_deferred_p2p_ncp(c)) + { + msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options"); + return false; + } + } + } + if (c->c2.did_open_tun) { c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; @@ -2332,23 +2380,6 @@ do_deferred_options(struct context *c, const unsigned int found) { return false; } - struct frame *frame_fragment = NULL; -#ifdef ENABLE_FRAGMENT - if (c->options.ce.fragment) - { - frame_fragment = &c->c2.frame_fragment; - } -#endif - - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - if (!tls_session_update_crypto_params(c->c2.tls_multi, session, - &c->options, &c->c2.frame, - frame_fragment, - get_link_socket_info(c))) - { - msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); - return false; - } } return true;