From patchwork Fri Sep 6 14:57:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3803 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6bd4:b0:5b9:581e:f939 with SMTP id c20csp195541max; Fri, 6 Sep 2024 07:58:36 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWcwTyooofaxm/e6x3wKLr4/IQom1CAzXHufW1DJKkFSG3QeFb77YwsZBblymY19Od9EeefaINQTAs=@openvpn.net X-Google-Smtp-Source: AGHT+IGxPXw1J5/amJXjlEXY/qs0P0UL+aZZP7sKeh8itzmddek7KspglMpv8eneTKpUr5mKSsEn X-Received: by 2002:a05:6a21:38f:b0:1c4:cf0a:ee9d with SMTP id adf61e73a8af0-1cf1d0ee2d2mr2786183637.19.1725634716323; Fri, 06 Sep 2024 07:58:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1725634716; cv=none; d=google.com; s=arc-20240605; b=BMvnJ6nbQztZHaTIg+EDwTcNBkEdfxU5uIkl85EDOAh2lw+MT0dLKPK+9vw/m0Ii6n GVYjjVc8/lwpKbusE3QRJjk0pcdwmpdfGogRlc2gFGTfniPIP1GAsf5NkMqHgxPu1qpA r9q7MEX0QpjGMazfMfd3dbPz+mF0awZtqoCFzo1NtlwXQOQGi2dYC+W+CjeyaJiE7jUA WXpdODwpx/JD9N4wGcMB9O5r4yF1anUY3Sa3ndLsWE2rmE2xe8gN9Ab0JcEOexOtnTAy z5+qTj1XRE626jRVAwMsrYVW6wn4Sekpe66tYyhP7VomcJS2cnwtt+8ZclQWLQ0JY7Nj Vtzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=Wo3jUX8Eg3hAHIFSwbn4GS9jv/ReFis6iahML/vlibs=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=XryY+utYYqmZfNqs0nT8a9F5afqEGUn7jsKx/A5U92i054LxmB914eY/jcVYtU+wvp f3ZIHOo2qtniQGWgBJmE0qVRqTgTHBqkgBRTbn9tjD2x5BNQVcZ9iiNjzqeXriiDliJ5 zZZm0jf+3/LgkAxH8KPXQFWKy+YHlC99n5WJw4md9yKMtn0LiQrM7BuuQpAZKTaO0xHa xPpEaeTOyjSG7tfSTmN2xpRNfKHzW0HScGE64g2sTeoKH/0AXSxinpUPW7mMsZwmOtzM 9dWffrzIZy4db4V6m8uBaE/MOoe/0MZ5V+2JaUf1B/6kqXBD7hRPf82ilQMmzYXSKdvH dlgw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BgovJPLR; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CYfIIKr5; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=k3qdqIvj; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d2e1a72fcca58-717977206fbsi2999333b3a.270.2024.09.06.07.58.36 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Sep 2024 07:58:36 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BgovJPLR; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CYfIIKr5; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=k3qdqIvj; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1smaPT-0006ib-WD; Fri, 06 Sep 2024 14:58:04 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1smaPR-0006iM-CC for openvpn-devel@lists.sourceforge.net; Fri, 06 Sep 2024 14:58:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=95CSahMHgzhI1lZPvBMFHiJFl88dxuvySA+sFtyeHmg=; b=BgovJPLR3dqI3CF76/TwZyxW0H TIwebWiK8TrQJ2Los5xuTQmPw+XGKzTYTiF9S64rnq6pN6bMYaeLdF45ZNO7VW+SY4r3wVJKZJuWt YDXCLACamTI2Hx9cyxCyXQFOM/4Zxh9J+uBy3F3ATcSf4+ALe9aB0Rwdnz9PItXLe6kE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=95CSahMHgzhI1lZPvBMFHiJFl88dxuvySA+sFtyeHmg=; b=CYfIIKr5t0zEhGGsVdPC/Caamz 4pLZamq9s6FxgQHznmAZaJ8oGTSEe4THC82SLEOg6ppJ6EH2zS6Y69ZCr1s1bL5VDFD7SRbHBp8Sa QEoYNpXJp3a2/xiH8rXv6S/HopSu6gErO2QMf4Nvhr4cxZBet3BqbqifPxBrFk8ZR3lg=; Received: from mout-p-201.mailbox.org ([80.241.56.171]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1smaPQ-0001wv-AQ for openvpn-devel@lists.sourceforge.net; Fri, 06 Sep 2024 14:58:01 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4X0fV26kG1z9tC3; Fri, 6 Sep 2024 16:57:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1725634667; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=95CSahMHgzhI1lZPvBMFHiJFl88dxuvySA+sFtyeHmg=; b=k3qdqIvj+XpJL+r7IRqHZuxJd2Kq5KqprPhS6EtxvQa4MV0VJMAd32o5KUrg7btFLY/dQd g68rIFHb+s1LidvIbH5XiBD7D4dZKWRWuhXHpx1zq+GgFvqkcLfgYHTU/RZHlIWQKBvJ8k pnaN35LPKKOAfcm9ysjNNwkTlsdZcyIS9yGYz8or+N6iEJXLdykfR8cdaoL/IYJ70N7Th/ rTc1HUXqntUjr1goXAlrsDYk3aJiu2/lrliBbW8sDdLE2UQYXb71+wqS8C3XqH5Afq5B+P PT/ObbUGwRIs3KoB284Ht6SJyjg4VEVhrdMKAGqX3BKXZSum+phdrNlejhSZ9w== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 6 Sep 2024 16:57:45 +0200 Message-Id: <20240906145745.67596-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4X0fV26kG1z9tC3 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Gianmarco De Gregori In UDP case the dco_set_peer() is currently perfomed at the wrong time since the mssfix param is calculated later on in tls_session_update_crypto_params_do_work(). By moving the dco_set_peer() inside [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.171 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1smaPQ-0001wv-AQ Subject: [Openvpn-devel] [PATCH v5] Ensures all params are ready before invoking dco_set_peer() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1809459148388343628?= X-GMAIL-MSGID: =?utf-8?q?1809459148388343628?= From: Gianmarco De Gregori In UDP case the dco_set_peer() is currently perfomed at the wrong time since the mssfix param is calculated later on in tls_session_update_crypto_params_do_work(). By moving the dco_set_peer() inside the tls_session_update_crypto_params_do_work() and removing the p2p_set_dco_keepalive() otherwise on client side the dco_set_peer() will be called twice, we will ensure that all crypto and frame params are properly initialized and if an update occurs dco will be notified. Change-Id: Ic8538e734dba53cd43fead3961e4401c8037e079 Signed-off-by: Gianmarco De Gregori Acked-by: Lev Stipakov --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/587 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Lev Stipakov diff --git a/src/openvpn/init.c b/src/openvpn/init.c index a49e563..c636609 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2178,27 +2178,6 @@ || !memcmp(a, &zero, sizeof(struct sha256_digest)); } -static bool -p2p_set_dco_keepalive(struct context *c) -{ - if (dco_enabled(&c->options) - && (c->options.ping_send_timeout || c->c2.frame.mss_fix)) - { - int ret = dco_set_peer(&c->c1.tuntap->dco, - c->c2.tls_multi->dco_peer_id, - c->options.ping_send_timeout, - c->options.ping_rec_timeout, - c->c2.frame.mss_fix); - if (ret < 0) - { - msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s", - c->c2.tls_multi->dco_peer_id, strerror(-ret)); - return false; - } - } - return true; -} - /** * Helper function for tls_print_deferred_options_results * Adds the ", " delimitor if there already some data in the @@ -2359,7 +2338,8 @@ if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, - get_link_socket_info(c))) + get_link_socket_info(c), + &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); return false; @@ -2468,12 +2448,6 @@ } } - if (c->mode == MODE_POINT_TO_POINT && !p2p_set_dco_keepalive(c)) - { - msg(D_TLS_ERRORS, "ERROR: Failed to apply DCO keepalive or MSS fix parameters"); - return false; - } - if (c->c2.did_open_tun) { c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; @@ -2578,7 +2552,8 @@ if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, - get_link_socket_info(c))) + get_link_socket_info(c), + &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "ERROR: failed to set crypto cipher"); return false; diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 03177bb..0509911 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2364,21 +2364,6 @@ return false; } - if (mi->context.options.ping_send_timeout || mi->context.c2.frame.mss_fix) - { - ret = dco_set_peer(&mi->context.c1.tuntap->dco, - mi->context.c2.tls_multi->dco_peer_id, - mi->context.options.ping_send_timeout, - mi->context.options.ping_rec_timeout, - mi->context.c2.frame.mss_fix); - if (ret < 0) - { - msg(D_DCO, "Cannot set DCO peer parameters for %s (id=%u): %s", - multi_instance_string(mi, false, gc), - mi->context.c2.tls_multi->dco_peer_id, strerror(-ret)); - return false; - } - } return true; } @@ -2398,7 +2383,8 @@ struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, - get_link_socket_info(c))) + get_link_socket_info(c), + &c->c1.tuntap->dco)) { msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); register_signal(c->sig, SIGUSR1, "process-push-msg-failed"); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index e0e9591..0921ada 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1584,7 +1584,8 @@ struct options *options, struct frame *frame, struct frame *frame_fragment, - struct link_socket_info *lsi) + struct link_socket_info *lsi, + dco_context_t *dco) { if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized) { @@ -1631,6 +1632,26 @@ return false; } } + + if (dco_enabled(options)) + { + /* dco_set_peer() must be called only when both + * keepalive and mss_fix are properly set. */ + if (options->ping_send_timeout || frame->mss_fix) + { + int ret = dco_set_peer(dco, + multi->dco_peer_id, + options->ping_send_timeout, + options->ping_rec_timeout, + frame->mss_fix); + if (ret < 0) + { + msg(D_DCO, "Cannot set DCO peer parameters for peer (id=%u): %s", + multi->dco_peer_id, strerror(-ret)); + return false; + } + } + } return tls_session_generate_data_channel_keys(multi, session); } @@ -1639,7 +1660,8 @@ struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, - struct link_socket_info *lsi) + struct link_socket_info *lsi, + dco_context_t *dco) { if (!check_session_cipher(session, options)) { @@ -1650,7 +1672,7 @@ session->opt->crypto_flags |= options->imported_protocol_flags; return tls_session_update_crypto_params_do_work(multi, session, options, - frame, frame_fragment, lsi); + frame, frame_fragment, lsi, dco); } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 1a45048..0e43961 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -457,6 +457,8 @@ * @param frame_fragment The fragment frame options. * @param lsi link socket info to adjust MTU related options * depending on the current protocol + * @param dco The dco context to perform dco_set_peer() + * whenever a crypto param update occurs. * * @return true if updating succeeded or keys are already generated, false otherwise. */ @@ -465,7 +467,8 @@ struct options *options, struct frame *frame, struct frame *frame_fragment, - struct link_socket_info *lsi); + struct link_socket_info *lsi, + dco_context_t *dco); /* * inline functions