From patchwork Wed Mar 1 13:53:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3102 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp2681608dye; Wed, 1 Mar 2023 05:54:46 -0800 (PST) X-Google-Smtp-Source: AK7set81Hy2aRk3K/YtiYVDr1LUo5QqlAmSu6mOIZ+bYRDMbGoaGEjX/AOrkhhiB8xsikODaP1Bj X-Received: by 2002:a17:902:d4c7:b0:19d:d14:d48a with SMTP id o7-20020a170902d4c700b0019d0d14d48amr7994552plg.3.1677678886223; Wed, 01 Mar 2023 05:54:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1677678886; cv=none; d=google.com; s=arc-20160816; b=G5RbALEIGOWGs0krF25bX99xw5+J6yMgu0/bsFWzfmOMwQK3jC8qrnngyVnkuc+LA4 Lkw9rNdxAHbyhO7dOzUrEVAYa4jq0YoQUIwmD3t7pCM+ItUuBDIDmjfNXaTpzWJuYKm7 jqNnAxgy03oqzdjC/WeNBCLj1h+YP+foLdCBtieOyjYxXcNUvFNEdKZ1PWcs6A5FiNXq DxUa62z//q88xnyyvbRV44nD2DwkUzIFA3XuwyCnAmeCFrU7VCTCX+D56a+RNu6hfAgN fr+YW/EzdeB8YgHzVT/MQ4e3GvtnYkQMmdRN8RYfpxcan0pANEi3FnyRh/57Y2eUIKQn 5FJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=ZYdv6gLydS1Bb1wX7KN6DCTJRMlZDkBw2bzCaZCj5UQ=; b=f9V2EkNG2gYAMs4aObozy7zKeIyprXwbp6DDSnvkgsMpsZLT6LRlfftv8jRP6CubBS u5DVCKgBrSZ6bkh13X9/QMXGQ3lJ/jsOHloFF+AHJ7XwtL1tpSJlzAbuO9Uzek0XU7xA AyeSkc4dZLz8BR/foOAbnmrpyNjPWIv6IS//XcsJ6noG/gAW7/zWyHbkAvJLc0TDQGKI pbruCUgPyIpGy/ZgJKr0KRFt/czULLofcCxZtD7EkeSmbjGK6eFsmIU/Z3sjdkcKvU7F ag/lpfgcOhVKbNOqKfidSjJvYaoJ2wAhKplWsu3KsWa4WME9HsnnNqeN2JvsIy56RlNu cCmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QiTM7Bj3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dJ5wB3Mk; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id h12-20020a170902704c00b0019e3ff97c99si2967666plt.293.2023.03.01.05.54.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Mar 2023 05:54:46 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=QiTM7Bj3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dJ5wB3Mk; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pXMuB-0002y3-2r; Wed, 01 Mar 2023 13:54:02 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pXMu9-0002xj-FR for openvpn-devel@lists.sourceforge.net; Wed, 01 Mar 2023 13:54:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iFxwfeYPKxvThseRe1yPpzCxwSjLabnBu1IaGsFY3hY=; b=QiTM7Bj3UtLSoFYwIZHT8jmp+C ioO4xEEyhul0A3XkDUkDi5CplcZDmNgpS7Nkxq71ZqiIpCGxsAXpb4wyx43A8giO7Eb985J9mscXw lNjdBKsZnI8r0rddheCU2uXXeZ22pHki2eu1ZR5P/XobYFGTzKOzYUZR2NE97/Xd8ee4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=iFxwfeYPKxvThseRe1yPpzCxwSjLabnBu1IaGsFY3hY=; b=d J5wB3MkGf3PaEQ+2i2unCiKuipRBaECCeSgWC/gUex//8zWMSLn68G6JZxQWH4oxMeM8CgrdYLLZe u21FKV+l5PtqqDXc6rddGUyDIw4MEXUzL4iHlxflj0T8t/NbAiK5yu2xHCPIgPLjCreJuvuIhs3bf kaLv8L8gXaaorg4E=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1pXMu7-0006Oi-DX for openvpn-devel@lists.sourceforge.net; Wed, 01 Mar 2023 13:54:00 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1pXMu1-0003a2-MD for openvpn-devel@lists.sourceforge.net; Wed, 01 Mar 2023 14:53:53 +0100 Received: (nullmailer pid 2811115 invoked by uid 10006); Wed, 01 Mar 2023 13:53:53 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 1 Mar 2023 14:53:52 +0100 Message-Id: <20230301135353.2811069-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Currently, this function and other parts of OpenVPN assume that multi->session[TM_ACTIVE].key[KS_PRIMARY] is always the right session to send control message. This assumption was only achieve through complicated session moving and shuffling in our state machine in the past. The old logic basically also always assumed that control messages are always for ful [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1pXMu7-0006Oi-DX Subject: [Openvpn-devel] [PATCH 1/2] Use key_state instead of multi for tls_send_payload parameter X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1759173815552088337?= X-GMAIL-MSGID: =?utf-8?q?1759173815552088337?= Currently, this function and other parts of OpenVPN assume that multi->session[TM_ACTIVE].key[KS_PRIMARY] is always the right session to send control message. This assumption was only achieve through complicated session moving and shuffling in our state machine in the past. The old logic basically also always assumed that control messages are always for fully authenticated clients. This assumption was never really true (see AUTH_FAILED message) but has been broken even more by auth-pending. Cleaning up the state machine transitions in 7dcde87b7a broke this assumption even more. This change now allows to specify the key_state/TLS session that is used to send the control message. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 5 ++++- src/openvpn/ssl.c | 7 ++----- src/openvpn/ssl.h | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 257c7c75c..9bb099097 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -372,8 +372,11 @@ send_control_channel_string_dowork(struct tls_multi *multi, struct gc_arena gc = gc_new(); bool stat; + ASSERT(multi); + struct key_state *ks = get_key_scan(multi, 0); + /* buffered cleartext write onto TLS control channel */ - stat = tls_send_payload(multi, (uint8_t *) str, strlen(str) + 1); + stat = tls_send_payload(ks, (uint8_t *) str, strlen(str) + 1); msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)", tls_common_name(multi, false), diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 016bdc57f..b84f23c62 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3988,18 +3988,15 @@ tls_post_encrypt(struct tls_multi *multi, struct buffer *buf) */ bool -tls_send_payload(struct tls_multi *multi, +tls_send_payload(struct key_state *ks, const uint8_t *data, int size) { - struct key_state *ks; bool ret = false; tls_clear_error(); - ASSERT(multi); - - ks = get_key_scan(multi, 0); + ASSERT(ks); if (ks->state >= S_ACTIVE) { diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index b0a2823fb..7ea13b920 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -414,7 +414,7 @@ void ssl_put_auth_challenge(const char *cr_str); /* * Send a payload over the TLS control channel */ -bool tls_send_payload(struct tls_multi *multi, +bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size);