From patchwork Fri Jul 17 14:14:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 5112 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7001:2a88:10b0:87c:c0c2:48b6 with SMTP id qv8-n1csp1194609mab; Fri, 17 Jul 2026 07:15:11 -0700 (PDT) X-Forwarded-Encrypted: i=2; AHgh+RqaGYOF1veCmBViAhohC47waiWHBZHvRujjAl4oj6LLQ1GL2HoFtRSeZw7haf1Mz/NyYkt12PHd4ds=@openvpn.net X-Received: by 2002:a05:6830:6d53:b0:7e9:e094:db6d with SMTP id 46e09a7af769-7ed9aa45521mr1302645a34.4.1784297711474; Fri, 17 Jul 2026 07:15:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1784297711; cv=none; d=google.com; s=arc-20260327; b=Gok4H5fp8g1auAOJgfvCCmBOUpGi4FzgjrJv28FvS3UMB261QwcvI4CeF4CGFCMfdb HvGaw11y+jCoN5yJPIMY1S0gZZtJ66Rs23t6IZ3GtEIAzqfRcjZowVwam5O/gJp7UQqb VU7ENxYhRRcpIyoz0xIUs+T69MdmnF9fFAU3VEXhS35n+b2Wh4bSoa36PqKpTH7NcJTq qm4y6kMrCqYsgb7rfD3hFBAqXrPTIzXRhAstoW6hoTOfPBDO8ELcId0dL1poL3AsnVdO mRKAffGXwGt3bEjj02mwv94Lpa+4UrN9V9NXSbImn74ue7dgvywGYwFrSfj9fSKVRF1a iYOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20260327; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=nLItzGD5l02ywfq9RtPIxYkTTy5P/85ktH6PEmwjT4Q=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=LLtOXGG83YkclFQiTMgj9jotf+Bz7bWFIb8yqR8lKkrh644zpmNE+jzKgsLHx49otV dL9ezMHYbpmCvh77QniYcl1vJTNgkKMZy57vqseVcR3jwWLKQN5PZJInkQPQVEjhhEUf uX9LVMt+96bWqvg8Kqvu6sgw32gaDehghL3y/iWfaUPNGxRqTX01GmWCz7EprOFf+AOn jDhpGyRzz5nnjtrbMMgLB04f9SbvIqud2GJDf6UP8wQDccOWM9kgqNMu2/i5e+47TFdh 1cAMM5DdKoynQPgpFCb6Ta7UEs5oFumMBNXWA3udZsT2O/GS1/rqu9dDE+ksSSU5zM/n qrMQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dnzeJO0C; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=MjtzDaYg; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IBXn9wEb; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7edafb193casi1181660a34.72.2026.07.17.07.15.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Jul 2026 07:15:11 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dnzeJO0C; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=MjtzDaYg; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=IBXn9wEb; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=nLItzGD5l02ywfq9RtPIxYkTTy5P/85ktH6PEmwjT4Q=; b=dnzeJO0CzW7CqDVRZpaqSGkCbq LPMq8NnApDQFPUIbHqrSTUYefYfs+eDexMmI0lt1HoArU7NEU91ixzg0NpK71TMkpr4YXzCCXBGMI /5/ILC1Lup9w1WcNQ3CWhlDpwU0qYI7aRMKxkUbN8fw6Ej401kTL1wZLa6i4yfafKsnc=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wkjLH-00019a-QT; Fri, 17 Jul 2026 14:15:08 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wkjLG-00019L-7F for openvpn-devel@lists.sourceforge.net; Fri, 17 Jul 2026 14:15:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=tM8dm/KPzaFdOoQ9WVvJCK8V7AfobE8JckjwB1TDdmY=; b=MjtzDaYg17Y/RZRQWfijU8xPsr lPUFTzxbz7XNkfBE26vfnE9hgsNioi4RzXSYnssnr0rhT/EM7i+PvwGBBJpZUMhYxAxGAyy7gLK63 h3uOwlO0tUc4uuReW7fB23L+PxopUD1Grgu9mOS9QsSE1qnShL+YSqpCryK4nApTTO54=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tM8dm/KPzaFdOoQ9WVvJCK8V7AfobE8JckjwB1TDdmY=; b=IBXn9wEbvN4ncIw3QeGMgwNzoj OHZL2gCzDUWRTrpW8cdM+2f+qsM/w1vnOschfJjfSltiH7CxJ5oNkUXz8xJs0weDtV3j3EyxZIglu NRFs+GSAYvSCtarIm1KPhkaETXRXQ9FrgZJOm1HYt3cOH1G9w3wtmOBb5deO0uK6mvNk=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wkjLF-0004Pr-78 for openvpn-devel@lists.sourceforge.net; Fri, 17 Jul 2026 14:15:06 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 66HEErMp023012 for ; Fri, 17 Jul 2026 16:14:53 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.2/8.18.1/Submit) id 66HEEr72023011 for openvpn-devel@lists.sourceforge.net; Fri, 17 Jul 2026 16:14:53 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 17 Jul 2026 16:14:47 +0200 Message-ID: <20260717141453.22980-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe Change-Id: I3d52c6d008502293c3ec57ad22d1c613dcd1a94e Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wkjLF-0004Pr-78 Subject: [Openvpn-devel] [PATCH v4] Extract multi_check_dest_addr_allowed from multi_process_float X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: 1870971756801370358 X-GMAIL-MSGID: 1870971756801370358 From: Arne Schwabe Change-Id: I3d52c6d008502293c3ec57ad22d1c613dcd1a94e Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1723 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1723 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 7535797..c40ebe4 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3072,6 +3072,76 @@ } /** + * This methods checks if a client instance is allowed to use an address + * + * Reasons for disallowing a specific address are that a client might be + * already using that address. In that case the method needs to decide + * if this instance can kick out the other instance. + * + * The method will then terminate the other instance if that check was + * positive. + */ +static bool +multi_check_dest_addr_allowed(struct multi_context *m, struct multi_instance *mi, struct mroute_addr *real) +{ + struct hash *hash = m->hash; + const uint64_t hv = hash_value(hash, real); + struct hash_bucket *bucket = hash_bucket(hash, hv); + + /* make sure that we don't assign the client to an address taken by + * another client */ + struct hash_element *he = hash_lookup_fast(hash, bucket, real, hv); + if (!he) + { + /* Address is not taken, everything is fine. */ + return true; + } + + struct multi_instance *ex_mi = he->value; + + struct tls_multi *m1 = mi->context.c2.tls_multi; + struct tls_multi *m2 = ex_mi->context.c2.tls_multi; + + struct gc_arena gc = gc_new(); + int ret = false; + + /* do not allow if target address is taken by client with another cert */ + if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set)) + { + msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s", + multi_instance_string(ex_mi, false, &gc)); + + mi->context.c2.buf.len = 0; + goto done; + } + + /* It doesn't make sense to let a peer float to the address it already + * has, so we disallow it. This can happen if a DCO netlink notification + * gets lost and we miss a floating step. + */ + if (m1->rx_peer_id == m2->rx_peer_id) + { + msg(M_WARN, + "disallowing peer %" PRIu32 " (%s) from floating to " + "its own address (%s)", + m1->rx_peer_id, tls_common_name(mi->context.c2.tls_multi, false), + mroute_addr_print(&mi->real, &gc)); + goto done; + } + + msg(D_MULTI_LOW, + "closing instance %s due to float collision with %s " + "using the same certificate", + multi_instance_string(ex_mi, false, &gc), multi_instance_string(mi, false, &gc)); + multi_close_instance(m, ex_mi, false); + ret = true; + +done: + gc_free(&gc); + return ret; +} + +/** * Handles peer floating. * * If peer is floated to a taken address, either drops packet @@ -3083,8 +3153,6 @@ multi_process_float(struct multi_context *m, struct multi_instance *mi, struct link_socket *sock) { struct mroute_addr real = { 0 }; - struct hash *hash = m->hash; - struct gc_arena gc = gc_new(); if (mi->real.type & MR_WITH_PROTO) { @@ -3094,53 +3162,16 @@ if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true)) { - goto done; + return; } - const uint64_t hv = hash_value(hash, &real); - struct hash_bucket *bucket = hash_bucket(hash, hv); - - /* make sure that we don't float to an address taken by another client */ - struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv); - if (he) + if (!multi_check_dest_addr_allowed(m, mi, &real)) { - struct multi_instance *ex_mi = (struct multi_instance *)he->value; - - struct tls_multi *m1 = mi->context.c2.tls_multi; - struct tls_multi *m2 = ex_mi->context.c2.tls_multi; - - /* do not float if target address is taken by client with another cert */ - if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set)) - { - msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s", - multi_instance_string(ex_mi, false, &gc)); - - mi->context.c2.buf.len = 0; - - goto done; - } - - /* It doesn't make sense to let a peer float to the address it already - * has, so we disallow it. This can happen if a DCO netlink notification - * gets lost and we miss a floating step. - */ - if (m1->rx_peer_id == m2->rx_peer_id) - { - msg(M_WARN, - "disallowing peer %" PRIu32 " (%s) from floating to " - "its own address (%s)", - m1->rx_peer_id, tls_common_name(mi->context.c2.tls_multi, false), - mroute_addr_print(&mi->real, &gc)); - goto done; - } - - msg(D_MULTI_LOW, - "closing instance %s due to float collision with %s " - "using the same certificate", - multi_instance_string(ex_mi, false, &gc), multi_instance_string(mi, false, &gc)); - multi_close_instance(m, ex_mi, false); + return; } + struct gc_arena gc = gc_new(); + msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s", mi->context.c2.tls_multi->rx_peer_id, tls_common_name(mi->context.c2.tls_multi, false), @@ -3169,7 +3200,6 @@ ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true)); #endif -done: gc_free(&gc); }