From patchwork Tue Nov 16 16:53:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 2079 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id GP5dE1M9lmFxPgAAIUCqbw (envelope-from ) for ; Thu, 18 Nov 2021 06:47:31 -0500 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id oABME1M9lmHkZwAAvGGmqA (envelope-from ) for ; Thu, 18 Nov 2021 06:47:31 -0500 Received: from smtp25.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net with LMTPS id GGW7ElM9lmEtegAAGdz6CA (envelope-from ) for ; Thu, 18 Nov 2021 06:47:31 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp25.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 49b1c526-4865-11ec-8d6d-52540081550e-1-1 Received: from [216.105.38.7] ([216.105.38.7:48812] helo=lists.sourceforge.net) by smtp25.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id B7/8A-22155-15D36916; Thu, 18 Nov 2021 06:47:30 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mnfqE-0007XI-Q1; Thu, 18 Nov 2021 11:44:34 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mnfqD-0007X8-PS for openvpn-devel@lists.sourceforge.net; Thu, 18 Nov 2021 11:44:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Z2DOchXOA3UTo/3WVvPAX2e5+TUCpfEgsc6yC0t22g4=; b=JIfktjZN851iARBPDAlBMXBxSr TS/WmEopG/89539eCVD/yBVFs1hZrM/HUq7Calk9gQBcV25A2wN0jxOvTkbaIG7Swrr/YmywUzL42 AHkjdbUQx48pCgO3sbey/aUONk7AeQyxPOHvLhYfUYAVB4XsqvXII+hl2r4dLwBW+eo4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Z2DOchXOA3UTo/3WVvPAX2e5+TUCpfEgsc6yC0t22g4=; b=HgX5RkAqmFqMRMsmDqiP782XPH VoavFyTGmgtcG3zeipIj65kc5GqW7WqM65Vce0FlydXLidEHejvORhAX94wxY3Th7U3SqknVSUFLh nhtf3DPvCREPDl7juxMUMn2m0x3IiBr4NcBma5EX2V31mGrizimEetnD7bJY4kD5dbE4=; Received: from mail-wr1-f46.google.com ([209.85.221.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mnfq9-0006iv-DD for openvpn-devel@lists.sourceforge.net; Thu, 18 Nov 2021 11:44:33 +0000 Received: by mail-wr1-f46.google.com with SMTP id r8so10947169wra.7 for ; Thu, 18 Nov 2021 03:44:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id; bh=Z2DOchXOA3UTo/3WVvPAX2e5+TUCpfEgsc6yC0t22g4=; b=eCl//TgHm+GQSSC5iVc07Rn0BusPWzk7f2R1x9FptwVJgwXhJfp6IrxTOuO4WXIIrE HS4gli3RnF4NrufSDbZP81bOcvSB6wrg65yXAiHwIYFlCl0L+M4B0qxUQBu4FujT6uNc Zke6c3etrn2yrEGmgkoO2zfvCDDLEvbcm92mffDAITRncaBzVMthG+wIOPOQT4s/ad+2 WxCNXvX/z7PrXCzfUnJ5Rhseyo9n5FDZgNgiBKUnuZ8Tj5kxiIXA9erOHj6E5Bz2j6DL ayZcFHQXZV/wWRbD7HAwdw3jQYat/7iny35Bw3FyxGJo+2bZGT9QBntmwMpGAu8cxL/F dsMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Z2DOchXOA3UTo/3WVvPAX2e5+TUCpfEgsc6yC0t22g4=; b=r5c46q8cyu47OE2NwBymNZctgwSa2mUnnxWhbCIL07D1jbcnCPLR6FTSLHyM9U6Gba jR0SPEl2giBfWnI1d+v7/yWGzV4eQm+XmKr26R3hXvdgN2psQwVfUvwaTNiS8pY/0FYL BWi96ZJZsBTpd6IhZUQR17B8Dvm/IP7JuTQH4Q9HneZs5in1lh55esvl1gX9M6Ytd3Xw u6BLSOsHWJrTXIEJ2W4U+7553jJ6V8Oybdur7O3fPMQ5qNSVdfh8XPjIPw6NytBAHbss dh+hD/G+qr4l590XklBeLrgQAKfqdqS6UM4Vafc21TilWAv87GKvpawnUy3ZMSahSVPv fW/Q== X-Gm-Message-State: AOAM533ZjmUakzF77t08MFK1B8e24KpEfBc0qD44S3mHKvYHaRbdK5Nu Qkd6jUJoypnxsbu38xGZQT1NryOQosg0fQ== X-Google-Smtp-Source: ABdhPJw9vXf5yr+etwvSeUUKMCW4wV1SHlRw8Vi2cNuYI1vTag9eMqWUK77nDv1Mss2sBeJi153cKg== X-Received: by 2002:a5d:4563:: with SMTP id a3mr30909525wrc.130.1637235862735; Thu, 18 Nov 2021 03:44:22 -0800 (PST) Received: from LAPTOP-4L3N7KFS.localdomain (nat3.panoulu.net. [185.38.2.3]) by smtp.gmail.com with ESMTPSA id n1sm3385544wmq.6.2021.11.18.03.44.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Nov 2021 03:44:22 -0800 (PST) From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Wed, 17 Nov 2021 05:53:21 +0200 Message-Id: <20211117035321.249-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov There are cases when control packet is not acked fast enough, for example when handling PUSH_REPLY, which requires setting up tunnel. In those cases packet will be retransmitted. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.46 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.5 DATE_IN_PAST_24_48 Date: is 24 to 48 hours before Received: date -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.46 listed in wl.mailspike.net] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1mnfq9-0006iv-DD Subject: [Openvpn-devel] [PATCH master+release/2.5] Tune down verbosity for suspected retransmits X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Lev Stipakov There are cases when control packet is not acked fast enough, for example when handling PUSH_REPLY, which requires setting up tunnel. In those cases packet will be retransmitted. OpenVPN 2 changes packet-id on retransmission, so it passes replay protection and got rejected as a replay by reliability layer, which checks another packet-id (sequence id) which is used to assemble our TCP-like stream. OpenVPN 3, however, doesn't change packet-id on retransmission, which triggers replay protection and causes level 1 nonfatal errors in logs. When replay protection sees the packet with the same timestamp and packet-id as previously received one, this is likely retransmission from OpenVPN 3. To not to scare users, tune verbosity down in this case. Signed-off-by: Lev Stipakov --- src/openvpn/crypto.c | 5 ++++- src/openvpn/packet_id.c | 3 +++ src/openvpn/packet_id.h | 1 + src/openvpn/ssl.c | 6 ++++-- 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 1dfc760f..5a0775c1 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -335,7 +335,10 @@ crypto_check_replay(struct crypto_options *opt, { if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS)) { - msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- " + /* openvpn3 doesn't change packet-id on retransmit, this is + * likely the case so tune verbosity down */ + int verb = opt->packet_id.rec.retransmit ? D_PID_DEBUG : D_REPLAY_ERRORS; + msg(verb, "%s: bad packet ID (may be a %s): %s -- " "see the man page entry for --no-replay and --replay-window for " "more info or silence this warning with --mute-replay-warnings", error_prefix, packet_id_net_print(pin, true, gc)); diff --git a/src/openvpn/packet_id.c b/src/openvpn/packet_id.c index 19bf3c51..09434bbb 100644 --- a/src/openvpn/packet_id.c +++ b/src/openvpn/packet_id.c @@ -201,6 +201,8 @@ packet_id_test(struct packet_id_rec *p, { packet_id_type diff; + p->retransmit = false; + packet_id_debug(D_PID_DEBUG, p, pin, "PID_TEST", 0); ASSERT(p->initialized); @@ -250,6 +252,7 @@ packet_id_test(struct packet_id_rec *p, } else { + p->retransmit = true; /* raised from D_PID_DEBUG_LOW to reduce verbosity */ packet_id_debug(D_PID_DEBUG_MEDIUM, p, pin, "PID_ERR replay", diff); return false; diff --git a/src/openvpn/packet_id.h b/src/openvpn/packet_id.h index 8f705964..e47d671f 100644 --- a/src/openvpn/packet_id.h +++ b/src/openvpn/packet_id.h @@ -141,6 +141,7 @@ struct packet_id_rec struct seq_list *seq_list; /* packet-id "memory" */ const char *name; int unit; + bool retransmit; /* true if last packet is suspected retransmit */ }; /* diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index b2dc48be..10f227d1 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1531,8 +1531,10 @@ read_control_auth(struct buffer *buf, openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf)); if (!buf->len) { - msg(D_TLS_ERRORS, - "TLS Error: incoming packet authentication failed from %s", + /* openvpn3 doesn't change packet-id on retransmit, this is + * likely the case so tune verbosity down */ + int verb = ctx->opt.packet_id.rec.retransmit ? D_TLS_DEBUG : D_TLS_ERRORS; + msg(verb, "TLS Error: incoming packet authentication failed from %s", print_link_socket_actual(from, &gc)); goto cleanup; }