From patchwork Mon Sep 19 05:35:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2778 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id vr3tL6yMKGMUMQAAIUCqbw (envelope-from ) for ; Mon, 19 Sep 2022 11:37:16 -0400 Received: from proxy17.mail.iad3b.rsapps.net ([172.31.255.6]) by director8.mail.ord1d.rsapps.net with LMTP id iIrhLqyMKGPjdAAAfY0hYg (envelope-from ) for ; Mon, 19 Sep 2022 11:37:16 -0400 Received: from smtp35.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.iad3b.rsapps.net with LMTPS id UFKFKKyMKGONeQAA5ccGVQ (envelope-from ) for ; Mon, 19 Sep 2022 11:37:16 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp35.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=unstable.cc; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: f01aba7e-3830-11ed-99e9-525400503131-1-1 Received: from [216.105.38.7] ([216.105.38.7:48898] helo=lists.sourceforge.net) by smtp35.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 3D/3C-06911-CAC88236; Mon, 19 Sep 2022 11:37:16 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oaIol-0005cn-Md; Mon, 19 Sep 2022 15:36:19 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oaIoR-0005bY-F4 for openvpn-devel@lists.sourceforge.net; Mon, 19 Sep 2022 15:35:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=4Rk2jR/DXSloZH8iOMGXhK3QEREtbElcSbOwyE0CIBI=; b=VMK6Xe36XzQZ7JI07IrWRb2XmF PujBUtwuig2G4MoUHGRMNmiM9yp0gmlgw2D+IETo/jmCANPsAXEhZ5HMEC/h7qGCv7DPN+SL0MGTv rNLsUUatSiGr6Fj6WWVbKuWEYeRMX3BYVITZKHhwv+B7WvBeYGbAktdNVmrWuacpykSI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=4Rk2jR/DXSloZH8iOMGXhK3QEREtbElcSbOwyE0CIBI=; b=GSq0ysBCsltBjlBWIaJ1T2EypT ZH8bewCG05mF65NC7PHsixrPo1kavb7H0sSOmzi52hIStJ1LRtl91cK9taQZ5th3VGy+nI5VbKajG 4oKArbqtr8ncHCWpI2VtYNnza/JOOt4Zjl5OmGFIxzQ07ONn33uIdWjEFQmw6E/MAD08=; Received: from wilbur.contactoffice.com ([212.3.242.68]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oaIoQ-00DUuv-JQ for openvpn-devel@lists.sourceforge.net; Mon, 19 Sep 2022 15:35:59 +0000 Received: from smtpauth1.co-bxl (smtpauth1.co-bxl [10.2.0.15]) by wilbur.contactoffice.com (Postfix) with ESMTP id 485A4435D; Mon, 19 Sep 2022 17:35:52 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1663601752; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:Cc:Date:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding; l=5735; bh=4Rk2jR/DXSloZH8iOMGXhK3QEREtbElcSbOwyE0CIBI=; b=Ks8dujKzpcmmwAJZDz3zuWMrchAwXtVLqHzasDiR9trTJlyhjSub6plB9NadQ6VA mj5w1D/NpBtlTS+yCvJr3XG5ZvskZ31e4UKUoILiB2f5kopUGrC0/DCzkt3EFJceBaR sdum2m16IVfn5sHpCAjTcn+d/cSe+7YFOIowgpisyqW5rMOyfHMkHgic1tRWm6Dcby/ lqFsQNYJoyns0RSilikWzYeA7HjZHjysaIy+wBf/Sulk8wJ+N/vF4xBELIi2U0+Lzfp O8Qm+kKGMVOaWdffx+Qy4E12U4Sp657mAfCOkSVq322nMdRD/baSdoAXNFmwg20uweY 68nGhK/uoA== Received: by smtp.mailfence.com with ESMTPSA ; Mon, 19 Sep 2022 17:35:48 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 19 Sep 2022 17:35:41 +0200 Message-Id: <20220919153541.9991-1-a@unstable.cc> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220919141757.9336-1-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Status: No, hits=-2.9 required=4.7 symbols=ALL_TRUSTED, BAYES_00 device=10.2.0.20 X-ContactOffice-Account: com:375058688 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: In P2P mode when the peer reconnects we have to renew the state in DCO in order to inform it about the new peer-id. Cc: Arne Schwabe Signed-off-by: Antonio Quartulli --- Changes from v1: * remove useless arguments from tls_multi_process() (and descendant calls) as we now pass 'c' [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.3.242.68 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1oaIoQ-00DUuv-JQ Subject: [Openvpn-devel] [PATCH v2] p2p/dco: renew peer in P2P mode upon reconnection X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox In P2P mode when the peer reconnects we have to renew the state in DCO in order to inform it about the new peer-id. Cc: Arne Schwabe Signed-off-by: Antonio Quartulli --- Changes from v1: * remove useless arguments from tls_multi_process() (and descendant calls) as we now pass 'c' directly --- src/openvpn/forward.c | 4 +--- src/openvpn/ssl.c | 54 +++++++++++++++++++++++++++++++++---------- src/openvpn/ssl.h | 6 +---- 3 files changed, 44 insertions(+), 20 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 810cb8a7..41593fc9 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -170,9 +170,7 @@ check_tls(struct context *c) if (interval_test(&c->c2.tmp_int)) { - const int tmp_status = tls_multi_process - (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, - get_link_socket_info(c), &wakeup); + const int tmp_status = tls_multi_process(c, &wakeup); if (tmp_status == TLSMP_ACTIVE) { update_time(); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 3116fa4b..10691f0c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -45,9 +45,11 @@ #include "error.h" #include "common.h" +#include "openvpn.h" #include "socket.h" #include "misc.h" #include "fdmisc.h" +#include "forward.h" #include "interval.h" #include "perf.h" #include "status.h" @@ -2717,13 +2719,14 @@ read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, static bool -tls_process_state(struct tls_multi *multi, +tls_process_state(struct context *c, struct tls_session *session, - struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup) { + struct tls_multi *multi = c->c2.tls_multi; + struct buffer *to_link = &c->c2.to_link; bool state_change = false; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ @@ -2827,6 +2830,20 @@ tls_process_state(struct tls_multi *multi, state_change = true; dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY"); ks->state = S_SENT_KEY; + + /* In P2P mode we have to renew the peer in DCO in case of + * reconnection (--tls-server case) + */ + if (session->opt->server && (session->opt->mode != MODE_SERVER) + && (ks->key_id == 0) && multi->dco_peer_added) + { + msg(D_DCO, "Renewing P2P peer in tls-server mode"); + int ret = dco_p2p_add_new_peer(c); + if (ret < 0) + { + msg(D_DCO, "Cannot renew peer in DCO: %s (%d)", strerror(-ret), ret); + } + } } /* Receive Key */ @@ -2843,6 +2860,20 @@ tls_process_state(struct tls_multi *multi, state_change = true; dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY"); ks->state = S_GOT_KEY; + + /* In P2P mode we have to renew the peer in DCO in case of + * reconnection (--tls-client case) + */ + if (!session->opt->server && !session->opt->pull && (ks->key_id == 0) + && multi->dco_peer_added) + { + msg(D_DCO, "Renewing P2P peer in tls-client mode"); + int ret = dco_p2p_add_new_peer(c); + if (ret < 0) + { + msg(D_DCO, "Cannot renew peer in DCO: %s (%d)", strerror(-ret), ret); + } + } } /* Write outgoing plaintext to TLS object */ @@ -2911,15 +2942,16 @@ error: * want to send to our peer. */ static bool -tls_process(struct tls_multi *multi, +tls_process(struct context *c, struct tls_session *session, - struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup) { struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */ + struct tls_multi *multi = c->c2.tls_multi; + struct buffer *to_link = &c->c2.to_link; /* Make sure we were initialized and that we're not in an error state */ ASSERT(ks->state != S_UNDEF); @@ -2962,7 +2994,7 @@ tls_process(struct tls_multi *multi, state_name(ks_lame->state), to_link->len, *wakeup); - state_change = tls_process_state(multi, session, to_link, to_link_addr, + state_change = tls_process_state(c, session, to_link_addr, to_link_socket_info, wakeup); if (ks->state == S_ERROR) @@ -3055,12 +3087,11 @@ tls_process(struct tls_multi *multi, */ int -tls_multi_process(struct tls_multi *multi, - struct buffer *to_link, - struct link_socket_actual **to_link_addr, - struct link_socket_info *to_link_socket_info, - interval_t *wakeup) +tls_multi_process(struct context *c, interval_t *wakeup) { + struct link_socket_info *to_link_socket_info = get_link_socket_info(c); + struct link_socket_actual **to_link_addr = &c->c2.to_link_addr; + struct tls_multi *multi = c->c2.tls_multi; struct gc_arena gc = gc_new(); int active = TLSMP_INACTIVE; bool error = false; @@ -3101,8 +3132,7 @@ tls_multi_process(struct tls_multi *multi, update_time(); - if (tls_process(multi, session, to_link, &tla, - to_link_socket_info, wakeup)) + if (tls_process(c, session, &tla, to_link_socket_info, wakeup)) { active = TLSMP_ACTIVE; } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index a2724470..13b44f20 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -218,11 +218,7 @@ void tls_multi_free(struct tls_multi *multi, bool clear); * Basically decides if we should call tls_process for * the active or untrusted sessions. */ -int tls_multi_process(struct tls_multi *multi, - struct buffer *to_link, - struct link_socket_actual **to_link_addr, - struct link_socket_info *to_link_socket_info, - interval_t *wakeup); +int tls_multi_process(struct context *c, interval_t *wakeup); /**************************************************************************/