From patchwork Tue Dec 13 22:54:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2904 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:622a:418d:b0:3a5:7962:c21f with SMTP id cd13csp3026121qtb; Tue, 13 Dec 2022 14:55:28 -0800 (PST) X-Google-Smtp-Source: AA0mqf6vAiohqpIdl9qEM3CQh+YrVCV229A7mwVKxhfWKBmOExvbtGaLebZS9xglmnjWJEj/9n6t X-Received: by 2002:a17:90a:4f0a:b0:219:49d9:ebda with SMTP id p10-20020a17090a4f0a00b0021949d9ebdamr23226496pjh.48.1670972128003; Tue, 13 Dec 2022 14:55:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670972127; cv=none; d=google.com; s=arc-20160816; b=zPn6DgkvjEIO/QjqQKzw+djHL2qfzlv0mMGSO9SzpUzAXO+WzBY+cg3RTRTDR3aa/5 lYYn2talTXxj/e0bD9yxdB20qFKfRc8utlgijp3c6R90brYhTQX1SP/P20iVZQ/GS8CP Xo3u8MRtwBvjla5mO26ouQKY+Pucf0bh/mLmkpqjeNzClVGL6+gO9XXB2jVCB5/OM99K ZHbYDK8ky8NCKnQFaIG/i4ExCILM+09ol3VoFDH4zgAfXrrt6wSH8zKtFqNCgV0uDOHi qUBBP/cE2J1q0znEm+wN/Ln46mSut97flDswCVVpzDLpbAm7vPUSbaRgTkjtcnCB8G3f CAlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=uTqwFD+59R4P10rb9/JSxFXue/tQIOGb+oEG5vGj/C0=; b=YnOd/2hMgqAvVaoXEMZcU+dCqasCmfdr1ju8I8hFEFEbDhxrmd5adsgQmGkOO5GPDL yQG3HaZy4kQiSnqa/AdgyCsv+3UdUjgTKnbHXKqFBCGEYUEHEJtiskU8CIWB05Hn3S6J ai6OxoZZ7dm4NaxZGX2oTD10KhrnzaBS35eGKjZXv0KvMPJ8mI4T3UrA2+8uOejWjB++ NmfyvrVBcYIe1WHrb+K5/jZU7SeZEWPq7Dn82H1IDjyEBv0t0VbuLVzkMFwHa3mpwRk8 BuyDqhNk2dIB9oSoKdI5shLfhsZz/thilEuva1N678g3CklNnrY72ThSDzaq/YxbDkNw JAGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LGPNcvYp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=L1iRTNNI; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id t9-20020a17090a3e4900b0020b2101908asi210535pjm.16.2022.12.13.14.55.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Dec 2022 14:55:27 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LGPNcvYp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=L1iRTNNI; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1p5EAd-0000OY-QS; Tue, 13 Dec 2022 22:54:43 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1p5EAc-0000OR-85 for openvpn-devel@lists.sourceforge.net; Tue, 13 Dec 2022 22:54:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Zq4Lhk2SAsTWFtFoDp3QVZ7RdcFfL3rozIacVaiLlts=; b=LGPNcvYp2JX1XR9eQjl9/h1QPC W+xg/z8F/OplEZjVGQN0gcHJ0KmBO/K80WYsFCeop+UYmU23YsuE3uI12qQM2t3/3oX3EuHATKIaR ud85SMtTQNxDheLEZNyNM3Cld3VfaJ+/pWRWVTxkziOK9U7MOVsAmo0PUuAp0pimyevk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Zq4Lhk2SAsTWFtFoDp3QVZ7RdcFfL3rozIacVaiLlts=; b=L1iRTNNIx79KExpa+Aji7Trn5N TgogUaAIMp5TA5xCWodet5eO1SXYjqWjczKsZb8Ll+aOfyBZhMrCuLE+6QMei8zji/H3L4Nmk2qj2 Eoepq22Ss+5SXWZCdl4X+1g7oGPj3UTkRE1SDurADLcYDhJjgrm+XBVw9TAOxfO+KgsY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1p5EAb-0007Ro-K9 for openvpn-devel@lists.sourceforge.net; Tue, 13 Dec 2022 22:54:42 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1p5EAQ-0009m0-Fg for openvpn-devel@lists.sourceforge.net; Tue, 13 Dec 2022 23:54:30 +0100 Received: (nullmailer pid 1892991 invoked by uid 10006); Tue, 13 Dec 2022 22:54:30 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 13 Dec 2022 23:54:29 +0100 Message-Id: <20221213225430.1892940-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221213225430.1892940-1-arne@rfc2549.org> References: <20221213225430.1892940-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When dco_update_keys fails, we are in some weird state that we are unlikely to recover since what userspace and kernel space think of the keys is very likely to not in sync anymore. So abandon the con [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1p5EAb-0007Ro-K9 Subject: [Openvpn-devel] [PATCH 2/3] Trigger a USR1 if dco_update_keys fails X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1752141270178324791?= X-GMAIL-MSGID: =?utf-8?q?1752141270178324791?= When dco_update_keys fails, we are in some weird state that we are unlikely to recover since what userspace and kernel space think of the keys is very likely to not in sync anymore. So abandon the connection if this happens. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/dco.c | 15 ++++++++------- src/openvpn/dco.h | 9 ++++++--- src/openvpn/forward.c | 7 ++++++- 3 files changed, 20 insertions(+), 11 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 2396bcbf0..36bfbf10a 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -130,7 +130,7 @@ dco_get_secondary_key(struct tls_multi *multi, const struct key_state *primary) return NULL; } -void +bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi) { msg(D_DCO_DEBUG, "%s: peer_id=%d", __func__, multi->dco_peer_id); @@ -140,7 +140,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) */ if (multi->dco_keys_installed == 0) { - return; + return true; } struct key_state *primary = tls_select_encryption_key(multi); @@ -155,18 +155,18 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) if (ret < 0) { msg(D_DCO, "Cannot delete primary key during wipe: %s (%d)", strerror(-ret), ret); - return; + return false; } ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_SECONDARY); if (ret < 0) { msg(D_DCO, "Cannot delete secondary key during wipe: %s (%d)", strerror(-ret), ret); - return; + return false; } multi->dco_keys_installed = 0; - return; + return true; } /* if we have a primary key, it must have been installed already (keys @@ -198,7 +198,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) if (ret < 0) { msg(D_DCO, "Cannot swap keys: %s (%d)", strerror(-ret), ret); - return; + return false; } primary->dco_status = DCO_INSTALLED_PRIMARY; @@ -216,7 +216,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) if (ret < 0) { msg(D_DCO, "Cannot delete secondary key: %s (%d)", strerror(-ret), ret); - return; + return false; } multi->dco_keys_installed = 1; } @@ -230,6 +230,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) ks->dco_status = DCO_NOT_INSTALLED; } } + return true; } static bool diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index e051db068..7e1febaa3 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -164,9 +164,11 @@ int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, * * @param dco DCO device context * @param multi TLS multi instance + * + * @return returns false if an error occurred that is not + * recoverable and should reset the connection */ -void dco_update_keys(dco_context_t *dco, struct tls_multi *multi); - +bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi); /** * Install a new peer in DCO - to be called by a CLIENT (or P2P) instance * @@ -304,10 +306,11 @@ init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, return 0; } -static inline void +static inline bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi) { ASSERT(false); + return false; } static inline int diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 5cd7eaa6e..8c1e49a34 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -151,7 +151,12 @@ check_dco_key_status(struct context *c) return; } - dco_update_keys(&c->c1.tuntap->dco, c->c2.tls_multi); + if (!dco_update_keys(&c->c1.tuntap->dco, c->c2.tls_multi)) + { + /* Something bad happened. Kill the connection to + * be able to recover. */ + register_signal(c, SIGUSR1, "dco update keys error"); + } } /*