From patchwork Thu Apr 25 15:50:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3690 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6bca:b0:576:af48:25c3 with SMTP id c10csp1278803max; Thu, 25 Apr 2024 08:50:53 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUjJOlMTqwQ6rCGo9bdiDS6A4MKUwAO3QrGB5jIC0/RZJ22Jbo+yVm/vWKBdVyGEWEcsg6+WpgXWQot+QSRcQK1I67XcPc= X-Google-Smtp-Source: AGHT+IGVawKdtrKsGvUF3LuZ47HFoBA/p/Q2Rr1ynauSYmEkivslcDhP1Wb+VjzPrDdj/X5ePYsq X-Received: by 2002:a05:6830:1008:b0:6eb:a1c1:9fff with SMTP id a8-20020a056830100800b006eba1c19fffmr7537139otp.0.1714060253187; Thu, 25 Apr 2024 08:50:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714060253; cv=none; d=google.com; s=arc-20160816; b=zZ+6K9TwE1j28q9EnR7GYFyzUHiX6y3e1NFiB44IkvXMg6BMkGmXZpBGwWEEXOhpR4 GTGBSkF/FTTehZrSUjc4V709GdvMohEPgfonF2XP8xMXMzUwy+Axh08I/Ejd6X79ho3q YimcOHSfvIgFb5k5OUo7461m8BWrsaesXd5OSo1Ynnr1wwjiTiQro/DifuRqp3u+04EO cW8oXpfq7HjISezVPobXE67rVPewiwvEkkjJdmTg6SuWu8RGFPgA3b0Dg0FTsGuKx3XY 4EeuvzOCMud0cbLSrwWR4qA57W/tHUNGL/MSA1ukOGaW4Sel6rWM3lyBr8nxQd1SX4G8 F2Ig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=6/FEVcoCWX1GlszLmCdXOYz0CRHN2s5rH95E6MSIFz8=; fh=TH3L4vjxUoTT60Iilo3hU0yP/oQ3Au90waxcvLdVHAs=; b=le40D7JBdaUMGWBFZ1t8Rzd6F7ulTbRHRiX/yaCAcSqQF7ZkF+ViRwkYoDyLU15+Q1 MSPMdgV3pWX1CyZUD16Wn8wdWmmzvESSTBNs5IYlJVe9kwLQdMbwPaKKsGQxIwNsmpK9 n1+GPG2DXl/Vxs5+B4Seb8RUrZR7m9Gd36YYnDif9Y9Hx8nOe3wssmlWo3c8iTOj0u++ pOLuhb3e19heLWNzqEmyQtEocPgfmNrDBjLxWRBecyRQq4iFQord6WN3EH12ng/tCaot vkSZhxTaUdvLIkuURhdOmJuAfFLeIJrViuZyAJw3uPs171iNLECFeJVtQIW4WvSeCrGL 2D6w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=P2FY4WP3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=FkHJ3ol+; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b="KHs+q/Pd"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 19-20020a631753000000b005dc365174desi13593337pgx.377.2024.04.25.08.50.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Apr 2024 08:50:53 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=P2FY4WP3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=FkHJ3ol+; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b="KHs+q/Pd"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1s01Mc-0004ij-5f; Thu, 25 Apr 2024 15:50:22 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1s01MZ-0004iZ-Bs for openvpn-devel@lists.sourceforge.net; Thu, 25 Apr 2024 15:50:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Q/pWrqO5Wc4RxD8cjS0aePvjozvl+yg3t6lL9tR87Vo=; b=P2FY4WP3Ho4pmBGCogga80V+xv FUKyoI+0cpT9Zsw0W/T+F2r1EmMq7Eqx3ydzsvNvgGjgt/wUpF4PcnuLTnwRb/1bQdK61I89kj1SK Rvfjxh6AOFPdwq4c+Az68YooAmWht0TI+g2xfKrUyAGPjC9hTArPiuGtn2wYolBC4rDo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Q/pWrqO5Wc4RxD8cjS0aePvjozvl+yg3t6lL9tR87Vo=; b=FkHJ3ol+60TaR/zvzsml1TfTQ1 xFJ3H7rsnKwecR4GIgwuHXabdls27aSxneHkPe7lNlNTna3/+7eiaRyq7skQQG693YRBFJGymRr4J DzXFTAERzawGGUuZ59ZNmC0nw4WBvWPsx+oD37T4EIMaDwx5g2DCgxqQcGxMG0dm/TYc=; Received: from mout-p-101.mailbox.org ([80.241.56.151]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1s01MX-0006nW-Kn for openvpn-devel@lists.sourceforge.net; Thu, 25 Apr 2024 15:50:19 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4VQL0K1c1Wz9sjp; Thu, 25 Apr 2024 17:50:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1714060209; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q/pWrqO5Wc4RxD8cjS0aePvjozvl+yg3t6lL9tR87Vo=; b=KHs+q/Pd2FC86ge+VRhcT8sfy/fALW7zSwMT3ynR1jf7mutZ3Fqf1dIekfP7v7gjjw2F0M jLi8AaxrjV0MYUAc0Y8BRRPlWd+zReNd9cYAS7QNegrWfWaCZ0GsJ1F0TI7txdZvCCPKIQ R7v9TSIrhp2EMB2tpm/OanVUuqK8OamP3zx2XT4Onf9V8WkuKqmVKjT9QKZKO5AcpOFToy 39h1STUgn5h0ufWUHhpgLqQlUmL2jS9TlbOungF2IZi+5pndXKOusIDBzVPMH3vfiyuPzA aju2gNAz/5P/kWBZVSy81ik8mtPzuHOi26gjf8B39wxnj24BhSwpiuXZrwclGA== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Thu, 25 Apr 2024 17:50:07 +0200 Message-Id: <20240425155007.62606-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -5.2 (-----) X-Spam-Report: =?unknown-8bit?q?Spam_detection_software=2C_running_on_the_sy?= =?unknown-8bit?q?stem_=22util-spamd-2=2Ev13=2Elw=2Esourceforge=2Ecom=22=2C?= =?unknown-8bit?q?_has_NOT_identified_this_incoming_email_as_spam=2E__The_ori?= =?unknown-8bit?q?ginal?= =?unknown-8bit?q?_message_has_been_attached_to_this_so_you_can_view_it_or_la?= =?unknown-8bit?q?bel?= =?unknown-8bit?q?_similar_future_email=2E__If_you_have_any_questions=2C_see?= =?unknown-8bit?q?_the_administrator_of_that_system_for_details=2E?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_Content_preview=3A__From=3A_Reynir_Bj=C3=B6rnsson_=3Creyni?= =?unknown-8bit?q?r=40reynir=2Edk=3E_If_an_exit_has?= =?unknown-8bit?q?_already_been_scheduled_we_should_not_schedule_it_again=2E_?= =?unknown-8bit?q?Otherwise=2C_the_exit?= =?unknown-8bit?q?_signal_is_never_emitted_if_the_peer_reschedules_the_exit_b?= =?unknown-8bit?q?efore_the_timeout?= =?unknown-8bit?q?_occurs=2E_?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_Content_analysis_details=3A___=28-5=2E2_points=2C_6=2E0_re?= =?unknown-8bit?q?quired=29?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_pts_rule_name______________description?= =?unknown-8bit?q?_----_----------------------_------------------------------?= =?unknown-8bit?q?--------------------?= =?unknown-8bit?q?_0=2E0_URIBL=5FBLOCKED__________ADMINISTRATOR_NOTICE=3A_The?= =?unknown-8bit?q?_query_to_URIBL_was?= =?unknown-8bit?q?_blocked=2E__See?= =?unknown-8bit?q?_http=3A//wiki=2Eapache=2Eorg/spamassassin/DnsBlocklists=23?= =?unknown-8bit?q?dnsbl-block?= =?unknown-8bit?q?_for_more_information=2E?= =?unknown-8bit?q?_=5BURIs=3A_lichtenheld=2Ecom=5D?= =?unknown-8bit?q?_0=2E0_SPF=5FHELO=5FNONE__________SPF=3A_HELO_does_not_publ?= =?unknown-8bit?q?ish_an_SPF_Record?= =?unknown-8bit?q?_-5=2E0_RCVD=5FIN=5FDNSWL=5FHI_______RBL=3A_Sender_listed_a?= =?unknown-8bit?q?t_https=3A//www=2Ednswl=2Eorg/=2C?= =?unknown-8bit?q?_high_trust?= =?unknown-8bit?q?_=5B80=2E241=2E56=2E151_listed_in_list=2Ednswl=2Eorg=5D?= =?unknown-8bit?q?_-0=2E0_SPF=5FPASS_______________SPF=3A_sender_matches_SPF_?= =?unknown-8bit?q?record?= =?unknown-8bit?q?_0=2E1_DKIM=5FSIGNED____________Message_has_a_DKIM_or_DK_si?= =?unknown-8bit?q?gnature=2C_not_necessarily?= =?unknown-8bit?q?_valid?= =?unknown-8bit?q?_-0=2E1_DKIM=5FVALID=5FEF__________Message_has_a_valid_DKIM?= =?unknown-8bit?q?_or_DK_signature_from?= =?unknown-8bit?q?_envelope-from_domain?= =?unknown-8bit?q?_-0=2E1_DKIM=5FVALID_____________Message_has_at_least_one_v?= =?unknown-8bit?q?alid_DKIM_or_DK_signature?= =?unknown-8bit?q?_-0=2E1_DKIM=5FVALID=5FAU__________Message_has_a_valid_DKIM?= =?unknown-8bit?q?_or_DK_signature_from?= =?unknown-8bit?q?_author=27s_domain?= X-Headers-End: 1s01MX-0006nW-Kn Subject: [Openvpn-devel] [PATCH v2] Only schedule_exit() once X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Reynir_Bj=C3=B6rnsson?= Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1797322443577712396?= X-GMAIL-MSGID: =?utf-8?q?1797322443577712396?= From: Reynir Björnsson If an exit has already been scheduled we should not schedule it again. Otherwise, the exit signal is never emitted if the peer reschedules the exit before the timeout occurs. schedule_exit() now only takes the context as argument. The signal is hard coded to SIGTERM, and the interval is read directly from the context options. Furthermore, schedule_exit() now returns a bool signifying whether an exit was scheduled; false if exit is already scheduled. The call sites are updated accordingly. A notable difference is that management is only notified *once* when an exit is scheduled - we no longer notify management on redundant exit. Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661 Signed-off-by: Reynir Björnsson Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/555 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 8d10f25..937fae4 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -514,17 +514,23 @@ } /* - * Schedule a signal n_seconds from now. + * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now. */ -void -schedule_exit(struct context *c, const int n_seconds, const int signal) +bool +schedule_exit(struct context *c) { + const int n_seconds = c->options.scheduled_exit_interval; + /* don't reschedule if already scheduled. */ + if (event_timeout_defined(&c->c2.scheduled_exit)) { + return false; + } tls_set_single_session(c->c2.tls_multi); update_time(); reset_coarse_timers(c); event_timeout_init(&c->c2.scheduled_exit, n_seconds, now); - c->c2.scheduled_exit_signal = signal; + c->c2.scheduled_exit_signal = SIGTERM; msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds); + return true; } /* diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 6fb5a18..422c591 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -303,7 +303,7 @@ void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf); -void schedule_exit(struct context *c, const int n_seconds, const int signal); +bool schedule_exit(struct context *c); static inline struct link_socket_info * get_link_socket_info(struct context *c) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 1b406b9..db1fd2e 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -191,6 +191,7 @@ receive_exit_message(struct context *c) { dmsg(D_STREAM_ERRORS, "CC-EEN exit message received by peer"); + bool notify_management = true; /* With control channel exit notification, we want to give the session * enough time to handle retransmits and acknowledgment, so that eventual * retries from the client to resend the exit or ACKs will not trigger @@ -204,14 +205,14 @@ * */ if (c->options.mode == MODE_SERVER) { - schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); + notify_management = schedule_exit(c); } else { register_signal(c->sig, SIGUSR1, "remote-exit"); } #ifdef ENABLE_MANAGEMENT - if (management) + if (management && notify_management) { management_notify(management, "info", "remote-exit", "EXIT"); } @@ -391,7 +392,7 @@ void send_auth_failed(struct context *c, const char *client_reason) { - if (event_timeout_defined(&c->c2.scheduled_exit)) + if (!schedule_exit(c)) { msg(D_TLS_DEBUG, "exit already scheduled for context"); return; @@ -401,8 +402,6 @@ static const char auth_failed[] = "AUTH_FAILED"; size_t len; - schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); - len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed); if (len > PUSH_BUNDLE_SIZE) { @@ -492,7 +491,7 @@ void send_restart(struct context *c, const char *kill_msg) { - schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); + schedule_exit(c); send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH); }