From patchwork Mon Sep 19 04:17:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2777 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id UJrrFYR6KGMgaAAAIUCqbw (envelope-from ) for ; Mon, 19 Sep 2022 10:19:48 -0400 Received: from proxy4.mail.iad3b.rsapps.net ([172.31.255.6]) by director14.mail.ord1d.rsapps.net with LMTP id CBqvFYR6KGNxJAAAeJ7fFg (envelope-from ) for ; Mon, 19 Sep 2022 10:19:48 -0400 Received: from smtp31.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3b.rsapps.net with LMTPS id uOA+D4R6KGNjcwAA9crAow (envelope-from ) for ; Mon, 19 Sep 2022 10:19:48 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp31.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=unstable.cc; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 1cd90f9e-3826-11ed-bacd-52540005277f-1-1 Received: from [216.105.38.7] ([216.105.38.7:41036] helo=lists.sourceforge.net) by smtp31.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 11/22-28256-28A78236; Mon, 19 Sep 2022 10:19:47 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oaHbn-0005Qw-QP; Mon, 19 Sep 2022 14:18:51 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oaHbm-0005Qk-MM for openvpn-devel@lists.sourceforge.net; Mon, 19 Sep 2022 14:18:50 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HaLmWkhkbbrRy92kVeYojn0wrAa3OzLAQhGqoG8dXaI=; b=UG2+fgBUDOYSq3Vak5/qOKk2r/ ag83/Q3E8DKvHI9RF6h8kYpIMdY1wa25HlNgv5GzitdxVhKJpi44gp6GZS+Gldx92XPcQnvWTo0nz deA1bx5VRNRoH1J0fDSgzPe68EzoKuLJ1yT3lRRVNXHcihGvxZSljDbsyBNqqUO387b4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=HaLmWkhkbbrRy92kVeYojn0wrAa3OzLAQhGqoG8dXaI=; b=E X51Q0VU1vXjy7InTrQUkTUKCcHgjcgfgHZp95tuIY9eXXzDxOeZ0BorNcj/yW1hIHVO1LY7dqrxeU DvU0pq0NfEvXzs27Vt52R0/8OHQdqPSjCDM+jCDyAGJoM4HF3eCzXA0cwAzxyghNIkss21G761Ywl uZjnTaJCze0r/Dok=; Received: from wilbur.contactoffice.com ([212.3.242.68]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oaHbi-00DQsE-GZ for openvpn-devel@lists.sourceforge.net; Mon, 19 Sep 2022 14:18:50 +0000 Received: from smtpauth1.co-bxl (smtpauth1.co-bxl [10.2.0.15]) by wilbur.contactoffice.com (Postfix) with ESMTP id 3538532AE; Mon, 19 Sep 2022 16:18:40 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1663597120; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:Cc:Date:Message-Id:MIME-Version:Content-Transfer-Encoding; l=4472; bh=HaLmWkhkbbrRy92kVeYojn0wrAa3OzLAQhGqoG8dXaI=; b=UAmGwz0c68ZfMMhE6HvhRuW85b8KghLWKjjQrEGaMX7V8wPfTSW6Nu6zEhWaf9I1 /1B3eXfGFWdBrru0ErC96R0iMReIgniWDoxxqLHKGvfbZR2P6XP4iMqiUoWoHWL/WJZ wBrerD8OfQmykUK4LA626Xj+MtBEgXoXV5WCLi/qumsr+Vw9PQNw66e3Ph5adj33k81 sK14detIRVNG+QQXwveg68hcbY0MLUXxYKE4A3wl/FtdjQrdUJB7rDGvBr5UVZrxSlH MBFo+YxN921h+5UXlRQb/aFdS+leKA43pIMxFsBhtKmnWoaEMaOhokMzYDz0DABOnyA XA3EBvZRqw== Received: by smtp.mailfence.com with ESMTPSA ; Mon, 19 Sep 2022 16:18:35 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 19 Sep 2022 16:17:57 +0200 Message-Id: <20220919141757.9336-1-a@unstable.cc> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-Spam-Status: No, hits=-2.9 required=4.7 symbols=ALL_TRUSTED, BAYES_00 device=10.2.0.20 X-ContactOffice-Account: com:375058688 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: In P2P mode when the peer reconnects we have to renew the state in DCO in order to inform it about the new peer-id. Cc: Arne Schwabe Signed-off-by: Antonio Quartulli --- src/openvpn/forward.c | 2 +- src/openvpn/ssl.c | 42 +++++++++++++++++++++++++++++++++++++----- src/openvpn/ssl. [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.3.242.68 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1oaHbi-00DQsE-GZ Subject: [Openvpn-devel] [PATCH] p2p/dco: renew peer in P2P mode upon reconnection X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox In P2P mode when the peer reconnects we have to renew the state in DCO in order to inform it about the new peer-id. Cc: Arne Schwabe Signed-off-by: Antonio Quartulli --- src/openvpn/forward.c | 2 +- src/openvpn/ssl.c | 42 +++++++++++++++++++++++++++++++++++++----- src/openvpn/ssl.h | 3 ++- 3 files changed, 40 insertions(+), 7 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 810cb8a7..cdf97d44 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -171,7 +171,7 @@ check_tls(struct context *c) if (interval_test(&c->c2.tmp_int)) { const int tmp_status = tls_multi_process - (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, + (c, c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, get_link_socket_info(c), &wakeup); if (tmp_status == TLSMP_ACTIVE) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 3116fa4b..652df5d6 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -45,6 +45,7 @@ #include "error.h" #include "common.h" +#include "openvpn.h" #include "socket.h" #include "misc.h" #include "fdmisc.h" @@ -2717,7 +2718,8 @@ read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, static bool -tls_process_state(struct tls_multi *multi, +tls_process_state(struct context *c, + struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, @@ -2827,6 +2829,20 @@ tls_process_state(struct tls_multi *multi, state_change = true; dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY"); ks->state = S_SENT_KEY; + + /* In P2P mode we have to renew the peer in DCO in case of + * reconnection (--tls-server case) + */ + if (session->opt->server && (session->opt->mode != MODE_SERVER) + && (ks->key_id == 0) && c->c2.tls_multi->dco_peer_added) + { + msg(D_DCO, "Renewing P2P peer in tls-server mode"); + int ret = dco_p2p_add_new_peer(c); + if (ret < 0) + { + msg(D_DCO, "Cannot renew peer in DCO: %s (%d)", strerror(-ret), ret); + } + } } /* Receive Key */ @@ -2843,6 +2859,20 @@ tls_process_state(struct tls_multi *multi, state_change = true; dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY"); ks->state = S_GOT_KEY; + + /* In P2P mode we have to renew the peer in DCO in case of + * reconnection (--tls-client case) + */ + if (!session->opt->server && !session->opt->pull && (ks->key_id == 0) + && c->c2.tls_multi->dco_peer_added) + { + msg(D_DCO, "Renewing P2P peer in tls-client mode"); + int ret = dco_p2p_add_new_peer(c); + if (ret < 0) + { + msg(D_DCO, "Cannot renew peer in DCO: %s (%d)", strerror(-ret), ret); + } + } } /* Write outgoing plaintext to TLS object */ @@ -2911,7 +2941,8 @@ error: * want to send to our peer. */ static bool -tls_process(struct tls_multi *multi, +tls_process(struct context *c, + struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, @@ -2962,7 +2993,7 @@ tls_process(struct tls_multi *multi, state_name(ks_lame->state), to_link->len, *wakeup); - state_change = tls_process_state(multi, session, to_link, to_link_addr, + state_change = tls_process_state(c, multi, session, to_link, to_link_addr, to_link_socket_info, wakeup); if (ks->state == S_ERROR) @@ -3055,7 +3086,8 @@ tls_process(struct tls_multi *multi, */ int -tls_multi_process(struct tls_multi *multi, +tls_multi_process(struct context *c, + struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, @@ -3101,7 +3133,7 @@ tls_multi_process(struct tls_multi *multi, update_time(); - if (tls_process(multi, session, to_link, &tla, + if (tls_process(c, multi, session, to_link, &tla, to_link_socket_info, wakeup)) { active = TLSMP_ACTIVE; diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index a2724470..034f22ce 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -218,7 +218,8 @@ void tls_multi_free(struct tls_multi *multi, bool clear); * Basically decides if we should call tls_process for * the active or untrusted sessions. */ -int tls_multi_process(struct tls_multi *multi, +int tls_multi_process(struct context *c, + struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info,