From patchwork Sat Dec 24 19:42:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2938 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133668dyk; Sat, 24 Dec 2022 11:43:29 -0800 (PST) X-Google-Smtp-Source: AMrXdXt8iWRSGUhx6ILeZxdfI+ccU5+Wut+6pzdQM+/hHJmozgTVMsdFyejbak9YhIVObezFbGML X-Received: by 2002:a17:90a:6a8f:b0:223:1e7d:67e8 with SMTP id u15-20020a17090a6a8f00b002231e7d67e8mr16247517pjj.16.1671911009095; Sat, 24 Dec 2022 11:43:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671911009; cv=none; d=google.com; s=arc-20160816; b=t+0FIyYq1ZUAdEIyWJmzv0zZNL26Mg+bkDQmXTJXiA9vQYWpU3Mcva3dScA3F/aUnR 0SIlBFjmjDKYJpiuHBHr+ftnYjSLBPoHk5nmIlPanLVWjoHCp2Mq6mp+OiiYrQ3PHD7P qkO8vDMjcJis+V0AD89QRPyqpGfwLSNb/peWr/6ROPceNeq6jqUiXTTYV+a4vRoEN8+O UqQUeou8S2M0PLy67xTPPTMmxsJaDRPMFmQki3L17c+GbJgIiIP+X+WUPcg85E2NipQQ a9Fh+l4IaXgs84ymzIQxGADnIUDig/iSu/2BSVSBnbr5khgFHj7zt3P/J/v4W4JKfUNU wuZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=ab1tZojBytOGFuGz4ysXp7qwhW+8ZfYHAyf29RMVyZs=; b=Y2HJUVVkdrlYQ/xtCMdE9YiW9G2qU6Gzn2wZpMJd/RLQWl5M7M7FP3CUr3sII0jZ62 ciZZkRAbMOrt2lPPmnCFBGfxFdyWj3n2equpXRYhnBWff+nDkb6phJeB9pisMiRqrwFD tDOgp6gm0o/2ueAf4XKC0h9bb6sLK9sXmZSGHhxSfA2Ow/4pyQkrQXvg2++vIxYEnPBn P5aVxifFCxDwUVpM8q7vQFaTkfJExNejnVq/dzF3kiI4M4YFm9t7YDTFUi1Rfwlw7mme 7pzdGepQeBVFYoo4zcuqCJPUz7irI5dLPe+cdEKPYIcF0NoTY/H8Jovircz1szzvkCv9 AoKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PBwtso1w; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=LIOgeEkP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id v15-20020a17090a898f00b00223facc5d2csi6748810pjn.162.2022.12.24.11.43.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 24 Dec 2022 11:43:29 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PBwtso1w; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=LIOgeEkP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1p9AQK-0000CM-18; Sat, 24 Dec 2022 19:43:12 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1p9AQF-0000Bk-Gj for openvpn-devel@lists.sourceforge.net; Sat, 24 Dec 2022 19:43:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=T1u4ATUC1Ha1V6sRxHMFaVRpAFmxATFAjBtfJXKicU8=; b=PBwtso1wVPWQVVKC4wp4kUDD7f LQ3ZwvAkoIKDAurQbKi7Q+5ngKlwS2/X5rcm5QhLpnwIglPizwnMbXdpGFmvDtxJK8sA2+UhmcGPN wwaFK/Sjjb6YeVP2jvLOwFB3zZEbXQ2XDGxkUJfDdY0s4O4HmescOTHf/G0r82/dogb4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=T1u4ATUC1Ha1V6sRxHMFaVRpAFmxATFAjBtfJXKicU8=; b=LIOgeEkPe4mW1Kx7QIEzkC1dGY GkJzLY9sJKKB+Diz+LxAti5wyxWnNWXDgjBgb4uGwpgAOF/+NbW1Zi4fdRmRdLFrZnuJCNpk7SomX vqc1ekMmOFCqunFEwU7Y73n/A+VDsYfQV6Cm/4ClOyVXm35LJOh9dVN5CmDDLfMn3b6I=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1p9AQE-00BPfO-DA for openvpn-devel@lists.sourceforge.net; Sat, 24 Dec 2022 19:43:07 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1p9AQ1-000H1V-KT for openvpn-devel@lists.sourceforge.net; Sat, 24 Dec 2022 20:42:53 +0100 Received: (nullmailer pid 3202282 invoked by uid 10006); Sat, 24 Dec 2022 19:42:53 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sat, 24 Dec 2022 20:42:46 +0100 Message-Id: <20221224194253.3202231-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221224194253.3202231-1-arne@rfc2549.org> References: <20221224194253.3202231-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Currently we start new session in TM_ACTIVE or TM_INITIAL depending if we already have an active session in TM_ACTIVE or not. With this change, all session will be started in TM_INITIAL both initiated by a peer but also session by ourselves. This simplifies state transitions and eliminates the wacky state transition that whe [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1p9AQE-00BPfO-DA Subject: [Openvpn-devel] [PATCH 2/9] Always start session in TM_INITIAL rather than TM_ACTIVE or TM_INITIAL X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1753125758347487850?= X-GMAIL-MSGID: =?utf-8?q?1753125758347487850?= Currently we start new session in TM_ACTIVE or TM_INITIAL depending if we already have an active session in TM_ACTIVE or not. With this change, all session will be started in TM_INITIAL both initiated by a peer but also session by ourselves. This simplifies state transitions and eliminates the wacky state transition that when we have a failed reneogitiation (and move TM_ACTIVE to TM_LAME_DUCK) that a new session of a peer starts in TM_ACTIVE rather than TM_INITIAL Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/mudp.c | 2 +- src/openvpn/ssl.c | 99 ++++++++++++++++------------------------------ 2 files changed, 36 insertions(+), 65 deletions(-) diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 458152335..c27c6da5b 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -257,7 +257,7 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated) && session_id_defined((&state.peer_session_id))) { mi->context.c2.tls_multi->n_sessions++; - struct tls_session *session = &mi->context.c2.tls_multi->session[TM_ACTIVE]; + struct tls_session *session = &mi->context.c2.tls_multi->session[TM_INITIAL]; session_skip_to_pre_start(session, &state, &m->top.c2.from); } } diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index a5fb4fd22..b1dc80c40 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1327,11 +1327,7 @@ tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu) /* initialize the active and untrusted sessions */ tls_session_init(multi, &multi->session[TM_ACTIVE]); - - if (!multi->opt.single_session) - { - tls_session_init(multi, &multi->session[TM_INITIAL]); - } + tls_session_init(multi, &multi->session[TM_INITIAL]); } /* @@ -3173,8 +3169,11 @@ tls_multi_process(struct tls_multi *multi, struct key_state *ks = &session->key[KS_PRIMARY]; struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; - /* set initial remote address */ - if (i == TM_ACTIVE && ks->state == S_INITIAL + /* set initial remote address. This triggers connecting with that + * session. So we only do that if the TM_ACTIVE session is not + * established */ + if (i == TM_INITIAL && ks->state == S_INITIAL + && get_primary_key(multi)->state <= S_INITIAL && link_socket_actual_defined(&to_link_socket_info->lsa->actual)) { ks->remote_addr = to_link_socket_info->lsa->actual; @@ -3221,13 +3220,14 @@ tls_multi_process(struct tls_multi *multi, { ++multi->n_soft_errors; - if (i == TM_ACTIVE) + if (i == TM_ACTIVE + || (i == TM_INITIAL && get_primary_key(multi)->state < S_ACTIVE)) { error = true; } if (i == TM_ACTIVE - && ks_lame->state >= S_ACTIVE + && ks_lame->state >= S_GENERATED_KEYS && !multi->opt.single_session) { move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true); @@ -3302,7 +3302,9 @@ tls_multi_process(struct tls_multi *multi, if (TLS_AUTHENTICATED(multi, &multi->session[TM_INITIAL].key[KS_PRIMARY])) { move_session(multi, TM_ACTIVE, TM_INITIAL, true); - msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted", + tas = tls_authentication_status(multi); + msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: initial untrusted " + "session promoted to %strusted", tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-"); if (multi->multi_state == CAS_CONNECT_DONE) @@ -3633,55 +3635,8 @@ tls_pre_decrypt(struct tls_multi *multi, /* * Hard reset and session id does not match any session in - * multi->session: Possible initial packet - */ - if (i == TM_SIZE && is_hard_reset_method2(op)) - { - struct tls_session *session = &multi->session[TM_ACTIVE]; - const struct key_state *ks = get_primary_key(multi); - - /* - * If we have no session currently in progress, the initial packet will - * open a new session in TM_ACTIVE rather than TM_UNTRUSTED. - */ - if (!session_id_defined(&ks->session_id_remote)) - { - if (multi->opt.single_session && multi->n_sessions) - { - msg(D_TLS_ERRORS, - "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]", - print_link_socket_actual(from, &gc)); - goto error; - } - -#ifdef ENABLE_MANAGEMENT - if (management) - { - management_set_state(management, - OPENVPN_STATE_AUTH, - NULL, - NULL, - NULL, - NULL, - NULL); - } -#endif - - msg(D_TLS_DEBUG_LOW, - "TLS: Initial packet from %s, sid=%s", - print_link_socket_actual(from, &gc), - session_id_print(&sid, &gc)); - - do_burst = true; - new_link = true; - i = TM_ACTIVE; - session->untrusted_addr = *from; - } - } - - /* - * If we detected new session in the last if block, variable i has - * changed to TM_ACTIVE, so check the condition again. + * multi->session: Possible initial packet. New sessions always start + * as TM_INITIAL */ if (i == TM_SIZE && is_hard_reset_method2(op)) { @@ -3689,16 +3644,17 @@ tls_pre_decrypt(struct tls_multi *multi, * No match with existing sessions, * probably a new session. */ - struct tls_session *session = &multi->session[TM_UNTRUSTED]; + struct tls_session *session = &multi->session[TM_INITIAL]; /* * If --single-session, don't allow any hard-reset connection request * unless it the first packet of the session. */ - if (multi->opt.single_session) + if (multi->opt.single_session && multi->n_sessions) { msg(D_TLS_ERRORS, - "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]", + "TLS Error: Cannot accept new session request from %s due " + "to session context expire or --single-session", print_link_socket_actual(from, &gc)); goto error; } @@ -3709,6 +3665,19 @@ tls_pre_decrypt(struct tls_multi *multi, goto error; } +#ifdef ENABLE_MANAGEMENT + if (management) + { + management_set_state(management, + OPENVPN_STATE_AUTH, + NULL, + NULL, + NULL, + NULL, + NULL); + } +#endif + /* * New session-initiating control packet is authenticated at this point, * assuming that the --tls-auth command line option was used. @@ -3716,9 +3685,11 @@ tls_pre_decrypt(struct tls_multi *multi, * Without --tls-auth, we leave authentication entirely up to TLS. */ msg(D_TLS_DEBUG_LOW, - "TLS: new session incoming connection from %s", - print_link_socket_actual(from, &gc)); + "TLS: Initial packet from %s, sid=%s", + print_link_socket_actual(from, &gc), + session_id_print(&sid, &gc)); + do_burst = true; new_link = true; i = TM_INITIAL; session->untrusted_addr = *from;