From patchwork Wed Oct 12 13:34:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2816 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.55]) by backend30.mail.ord1d.rsapps.net with LMTP id JqZHOabCRmM5MAAAIUCqbw (envelope-from ) for ; Wed, 12 Oct 2022 09:35:34 -0400 Received: from proxy5.mail.iad3a.rsapps.net ([172.27.255.55]) by director12.mail.ord1d.rsapps.net with LMTP id 0GNrOKbCRmPPaAAAIasKDg (envelope-from ) for ; Wed, 12 Oct 2022 09:35:34 -0400 Received: from smtp34.gate.iad3a ([172.27.255.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3a.rsapps.net with LMTPS id 4Cm6MabCRmOOZQAAhn5joQ (envelope-from ) for ; Wed, 12 Oct 2022 09:35:34 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: bf467a96-4a32-11ed-bae5-525400865cc7-1-1 Received: from [216.105.38.7] ([216.105.38.7:54472] helo=lists.sourceforge.net) by smtp34.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id EE/12-18403-6A2C6436; Wed, 12 Oct 2022 09:35:34 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oibt8-0001kN-1d; Wed, 12 Oct 2022 13:35:10 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oibt4-0001kF-NU for openvpn-devel@lists.sourceforge.net; Wed, 12 Oct 2022 13:35:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+t+iwlr2XwFhXOUgvzqjqHPC7Pw/NCtOm2vyvfGisUw=; b=OtVwe6PBvarvXgbh5/j0ljqsk5 z5puexUGAVZyF6WdejWn2H+1WBtsEPte8VQ0WGgmpAE1m744jr63NPFl8MTOYMMjHIRlQq0Rl2V9K 8t/Uh3YT/ZoBj+e9gkeUXNoIhugfeF4hmCycxfXlKx6aqN0qpB1DweyeZB8b4mk9eIWk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=+t+iwlr2XwFhXOUgvzqjqHPC7Pw/NCtOm2vyvfGisUw=; b=Z C8rkWgM8w+3UKM+VZtnGG87beW/gQRT7mALjQPvR6puYY7cxYWbh9GwNle4ejI3vMKsMoen9BW2NS 83/Dbz8XnAXfJLC5X7Ez6yHMo98SAa88D/Ie6/wozxFdjBLC+qqUQCKsiyAnuRFUAIMYX758qT5DO NUUM8TtfcEvyJvPg=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oibt3-001AOm-2b for openvpn-devel@lists.sourceforge.net; Wed, 12 Oct 2022 13:35:06 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oibsv-0000gf-1D for openvpn-devel@lists.sourceforge.net; Wed, 12 Oct 2022 15:34:57 +0200 Received: (nullmailer pid 1927917 invoked by uid 10006); Wed, 12 Oct 2022 13:34:57 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 Oct 2022 15:34:54 +0200 Message-Id: <20221012133457.1927871-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: For tcp this makes no difference as the remote address of the socket never changes. For udp this allows OpenVPN to differentiate if a reconnecting client is using the same address as before or from a [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1oibt3-001AOm-2b Subject: [Openvpn-devel] [PATCH 1/3] Move dco_installed from sock->info to sock->info.lsa.actual X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox For tcp this makes no difference as the remote address of the socket never changes. For udp this allows OpenVPN to differentiate if a reconnecting client is using the same address as before or from a different one. This allow sending via the normal userspace socket in that case. Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 7 ++++--- src/openvpn/dco_linux.c | 2 +- src/openvpn/forward.c | 8 ++++---- src/openvpn/init.c | 2 +- src/openvpn/mtcp.c | 6 +++--- src/openvpn/socket.h | 6 +++--- 6 files changed, 16 insertions(+), 15 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index a76cdd0cd..1f402bfc2 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -448,7 +448,7 @@ dco_p2p_add_new_peer(struct context *c) } c->c2.tls_multi->dco_peer_added = true; - c->c2.link_socket->info.dco_installed = true; + c->c2.link_socket->info.lsa->actual.dco_installed = true; return 0; } @@ -522,7 +522,7 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi) { struct context *c = &mi->context; - int peer_id = mi->context.c2.tls_multi->peer_id; + int peer_id = c->c2.tls_multi->peer_id; struct sockaddr *remoteaddr, *localaddr = NULL; struct sockaddr_storage local = { 0 }; int sd = c->c2.link_socket->sd; @@ -531,6 +531,7 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi) { /* the remote address will be inferred from the TCP socket endpoint */ remoteaddr = NULL; + c->c2.link_socket->info.lsa->actual.dco_installed = true; } else { @@ -575,7 +576,7 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi) { msg(D_DCO|M_ERRNO, "error closing TCP socket after DCO handover"); } - c->c2.link_socket->info.dco_installed = true; + c->c2.link_socket->info.lsa->actual.dco_installed = true; c->c2.link_socket->sd = SOCKET_UNDEFINED; } diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 98e10507b..109358205 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -285,7 +285,7 @@ ovpn_nl_cb_finish(struct nl_msg (*msg) __attribute__ ((unused)), void *arg) * * We pass the error code to the user by means of a variable pointed by *arg * (supplied by the user when setting this callback) and we parse the kernel - * reply to see if it contains a human readable error. If found, it is printed. + * reply to see if it contains a human-readable error. If found, it is printed. */ static int ovpn_nl_cb_error(struct sockaddr_nl (*nla) __attribute__ ((unused)), diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index bee24f0d4..18308c2c5 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1636,13 +1636,13 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf) * standard Overlapped I/O. * * Hide that complexity (...especially if more platforms show up - * in future...) in a small inline function. + * in the future...) in a small inline function. */ static inline bool -should_use_dco_socket(struct link_socket *sock) +should_use_dco_socket(struct link_socket_actual *actual) { #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) - return sock->info.dco_installed; + return actual->dco_installed; #else return false; #endif @@ -1721,7 +1721,7 @@ process_outgoing_link(struct context *c) socks_preprocess_outgoing_link(c, &to_addr, &size_delta); /* Send packet */ - if (should_use_dco_socket(c->c2.link_socket)) + if (should_use_dco_socket(c->c2.to_link_addr)) { size = dco_do_write(&c->c1.tuntap->dco, c->c2.tls_multi->peer_id, diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 5141a35c2..351515aa2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3625,7 +3625,7 @@ do_close_link_socket(struct context *c) * closed in do_close_tun(). Set it to UNDEFINED so * we won't use WinSock API to close it. */ if (tuntap_is_dco_win(c->c1.tuntap) && c->c2.link_socket - && c->c2.link_socket->info.dco_installed) + && c->c2.link_socket->info.lsa->actual.dco_installed) { c->c2.link_socket->sd = SOCKET_UNDEFINED; } diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c index 1abb903f2..07da15a6d 100644 --- a/src/openvpn/mtcp.c +++ b/src/openvpn/mtcp.c @@ -402,7 +402,7 @@ multi_tcp_wait_lite(struct multi_context *m, struct multi_instance *mi, const in tv_clear(&c->c2.timeval); /* ZERO-TIMEOUT */ - if (mi && mi->context.c2.link_socket->info.dco_installed) + if (mi && mi->context.c2.link_socket->info.lsa->actual.dco_installed) { /* If we got a socket that has been handed over to the kernel * we must not call the normal socket function to figure out @@ -537,7 +537,7 @@ multi_tcp_dispatch(struct multi_context *m, struct multi_instance *mi, const int case TA_INITIAL: ASSERT(mi); - if (!mi->context.c2.link_socket->info.dco_installed) + if (!mi->context.c2.link_socket->info.lsa->actual.dco_installed) { multi_tcp_set_global_rw_flags(m, mi); } @@ -590,7 +590,7 @@ multi_tcp_post(struct multi_context *m, struct multi_instance *mi, const int act } else { - if (!c->c2.link_socket->info.dco_installed) + if (!c->c2.link_socket->info.lsa->actual.dco_installed) { multi_tcp_set_global_rw_flags(m, mi); } diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 462afa31b..11b37d005 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -88,6 +88,7 @@ struct link_socket_actual /*int dummy;*/ /* add offset to force a bug if dest not explicitly dereferenced */ struct openvpn_sockaddr dest; + bool dco_installed; #if ENABLE_IP_PKTINFO union { #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST) @@ -121,7 +122,6 @@ struct link_socket_info sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/ bool bind_ipv6_only; int mtu_changed; /* Set to true when mtu value is changed */ - bool dco_installed; }; /* @@ -1073,7 +1073,7 @@ link_socket_read(struct link_socket *sock, struct link_socket_actual *from) { if (proto_is_udp(sock->info.proto) - || sock->info.dco_installed) + || sock->info.lsa->actual.dco_installed) /* unified UDPv4 and UDPv6, for DCO the kernel * will strip the length header */ { @@ -1190,7 +1190,7 @@ link_socket_write(struct link_socket *sock, struct buffer *buf, struct link_socket_actual *to) { - if (proto_is_udp(sock->info.proto) || sock->info.dco_installed) + if (proto_is_udp(sock->info.proto) || to->dco_installed) { /* unified UDPv4 and UDPv6 and DCO (kernel adds size header) */ return link_socket_write_udp(sock, buf, to); From patchwork Wed Oct 12 13:34:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2815 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.8]) by backend30.mail.ord1d.rsapps.net with LMTP id 0BonNKTCRmMwMAAAIUCqbw (envelope-from ) for ; Wed, 12 Oct 2022 09:35:32 -0400 Received: from proxy15.mail.iad3a.rsapps.net ([172.27.255.8]) by director8.mail.ord1d.rsapps.net with LMTP id GIu/M6TCRmPPVwAAfY0hYg (envelope-from ) for ; Wed, 12 Oct 2022 09:35:32 -0400 Received: from smtp23.gate.iad3a ([172.27.255.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.iad3a.rsapps.net with LMTPS id iNohMKTCRmPBNwAAHi9b9g (envelope-from ) for ; Wed, 12 Oct 2022 09:35:32 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: bded9c74-4a32-11ed-85a4-52540033eb40-1-1 Received: from [216.105.38.7] ([216.105.38.7:53978] helo=lists.sourceforge.net) by smtp23.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 75/6B-27487-3A2C6436; Wed, 12 Oct 2022 09:35:32 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oibt8-00081z-Um; Wed, 12 Oct 2022 13:35:10 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oibt8-00081t-0z for openvpn-devel@lists.sourceforge.net; Wed, 12 Oct 2022 13:35:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=sPc7dIOnrC8a/T1/10JnrfjMUKpYqYRbq/NS+GVcGYs=; b=mRoc+V6zwKNYG1MJOI8YjkSnCW bMq1RO571N6N05Ti/IGw6pfhi3D7LXvm0Hah73LvZ89Apfcplt/BzA59aGurpeHkrYUop8Su24RiY eEGFCdZfJD3pADTAdArOR8bnEJsmdDVrNhQh0PNoe6uOM2Cphsf4hGoKhgyppjDwIf1g=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sPc7dIOnrC8a/T1/10JnrfjMUKpYqYRbq/NS+GVcGYs=; b=FCRJyHeGkQXvrDYOMCIGw+b1/F nZaB5FLPgWtXOWLVZpWuWgJVqq0yysyDQGMfxssFNBKnLQaxeog6nc7NL9MHmjkI+OWg84S6sb1bE +biAZG81lVDEp/md0DwoKz2OmPqB80mQYX0vWBheRc+xpQUQ2bwBXXWyONeRerasWSs8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oibt6-0000Fv-8l for openvpn-devel@lists.sourceforge.net; Wed, 12 Oct 2022 13:35:09 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oibsv-0000gh-1t for openvpn-devel@lists.sourceforge.net; Wed, 12 Oct 2022 15:34:57 +0200 Received: (nullmailer pid 1927920 invoked by uid 10006); Wed, 12 Oct 2022 13:34:57 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 Oct 2022 15:34:55 +0200 Message-Id: <20221012133457.1927871-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221012133457.1927871-1-arne@rfc2549.org> References: <20221012133457.1927871-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The lifetime and state machine of multi->peer_id does not exactly the lifetime/state of DCO. This is especially for p2p NCP where a reconnection can change the peer id. Also use this new field with va [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1oibt6-0000Fv-8l Subject: [Openvpn-devel] [PATCH 2/3] Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The lifetime and state machine of multi->peer_id does not exactly the lifetime/state of DCO. This is especially for p2p NCP where a reconnection can change the peer id. Also use this new field with value -1 to mean not installed, replacing the dco_peer_added field. Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 24 ++++++++++++------------ src/openvpn/forward.c | 2 +- src/openvpn/init.c | 4 ++-- src/openvpn/multi.c | 8 ++++---- src/openvpn/ssl.c | 1 + src/openvpn/ssl_common.h | 9 ++++++++- 6 files changed, 28 insertions(+), 20 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 1f402bfc2..51d595611 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -55,7 +55,7 @@ dco_install_key(struct tls_multi *multi, struct key_state *ks, const char *ciphername) { - msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d", __func__, multi->peer_id, + msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d", __func__, multi->dco_peer_id, ks->key_id); /* Install a key in the PRIMARY slot only when no other key exist. @@ -69,7 +69,7 @@ dco_install_key(struct tls_multi *multi, struct key_state *ks, slot = OVPN_KEY_SLOT_SECONDARY; } - int ret = dco_new_key(multi->dco, multi->peer_id, ks->key_id, slot, + int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot, encrypt_key, encrypt_iv, decrypt_key, decrypt_iv, ciphername); @@ -133,7 +133,7 @@ dco_get_secondary_key(struct tls_multi *multi, const struct key_state *primary) void dco_update_keys(dco_context_t *dco, struct tls_multi *multi) { - msg(D_DCO_DEBUG, "%s: peer_id=%d", __func__, multi->peer_id); + msg(D_DCO_DEBUG, "%s: peer_id=%d", __func__, multi->dco_peer_id); /* this function checks if keys have to be swapped or erased, therefore it * can't do much if we don't have any key installed @@ -151,14 +151,14 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) { msg(D_DCO, "No encryption key found. Purging data channel keys"); - int ret = dco_del_key(dco, multi->peer_id, OVPN_KEY_SLOT_PRIMARY); + int ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_PRIMARY); if (ret < 0) { msg(D_DCO, "Cannot delete primary key during wipe: %s (%d)", strerror(-ret), ret); return; } - ret = dco_del_key(dco, multi->peer_id, OVPN_KEY_SLOT_SECONDARY); + ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_SECONDARY); if (ret < 0) { msg(D_DCO, "Cannot delete secondary key during wipe: %s (%d)", strerror(-ret), ret); @@ -184,7 +184,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) msg(D_DCO_DEBUG, "Swapping primary and secondary keys, now: id1=%d id2=%d", primary->key_id, secondary ? secondary->key_id : -1); - int ret = dco_swap_keys(dco, multi->peer_id); + int ret = dco_swap_keys(dco, multi->dco_peer_id); if (ret < 0) { msg(D_DCO, "Cannot swap keys: %s (%d)", strerror(-ret), ret); @@ -202,7 +202,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) /* if we have no secondary key anymore, inform DCO about it */ if (!secondary && multi->dco_keys_installed == 2) { - int ret = dco_del_key(dco, multi->peer_id, OVPN_KEY_SLOT_SECONDARY); + int ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_SECONDARY); if (ret < 0) { msg(D_DCO, "Cannot delete secondary key: %s (%d)", strerror(-ret), ret); @@ -447,7 +447,7 @@ dco_p2p_add_new_peer(struct context *c) return ret; } - c->c2.tls_multi->dco_peer_added = true; + c->c2.tls_multi->dco_peer_id = multi->peer_id; c->c2.link_socket->info.lsa->actual.dco_installed = true; return 0; @@ -461,10 +461,10 @@ dco_remove_peer(struct context *c) return; } - if (c->c1.tuntap && c->c2.tls_multi && c->c2.tls_multi->dco_peer_added) + if (c->c1.tuntap && c->c2.tls_multi && c->c2.tls_multi->dco_peer_id) { - dco_del_peer(&c->c1.tuntap->dco, c->c2.tls_multi->peer_id); - c->c2.tls_multi->dco_peer_added = false; + dco_del_peer(&c->c1.tuntap->dco, c->c2.tls_multi->dco_peer_id); + c->c2.tls_multi->dco_peer_id = -1; } } @@ -567,7 +567,7 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi) return ret; } - c->c2.tls_multi->dco_peer_added = true; + c->c2.tls_multi->dco_peer_id = peer_id; if (c->mode == CM_CHILD_TCP) { diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 18308c2c5..8db4f2ce1 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1724,7 +1724,7 @@ process_outgoing_link(struct context *c) if (should_use_dco_socket(c->c2.to_link_addr)) { size = dco_do_write(&c->c1.tuntap->dco, - c->c2.tls_multi->peer_id, + c->c2.tls_multi->dco_peer_id, &c->c2.to_link); } else diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 351515aa2..35e63dbc3 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2150,14 +2150,14 @@ do_deferred_options_part2(struct context *c) && (c->options.ping_send_timeout || c->c2.frame.mss_fix)) { int ret = dco_set_peer(&c->c1.tuntap->dco, - c->c2.tls_multi->peer_id, + c->c2.tls_multi->dco_peer_id, c->options.ping_send_timeout, c->options.ping_rec_timeout, c->c2.frame.mss_fix); if (ret < 0) { msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s", - c->c2.tls_multi->peer_id, strerror(-ret)); + c->c2.tls_multi->dco_peer_id, strerror(-ret)); return false; } } diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index b9b087e01..bd823e81f 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2448,14 +2448,14 @@ multi_client_connect_late_setup(struct multi_context *m, if (mi->context.options.ping_send_timeout || mi->context.c2.frame.mss_fix) { int ret = dco_set_peer(&mi->context.c1.tuntap->dco, - mi->context.c2.tls_multi->peer_id, + mi->context.c2.tls_multi->dco_peer_id, mi->context.options.ping_send_timeout, mi->context.options.ping_rec_timeout, mi->context.c2.frame.mss_fix); if (ret < 0) { msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s", - mi->context.c2.tls_multi->peer_id, strerror(-ret)); + mi->context.c2.tls_multi->dco_peer_id, strerror(-ret)); mi->context.c2.tls_multi->multi_state = CAS_FAILED; } } @@ -3226,8 +3226,8 @@ process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi, } /* When kernel already deleted the peer, the socket is no longer - * installed and we don't need to cleanup the state in the kernel */ - mi->context.c2.tls_multi->dco_peer_added = false; + * installed, and we do not need to clean up the state in the kernel */ + mi->context.c2.tls_multi->dco_peer_id = -1; mi->context.sig->signal_text = reason; multi_signal_instance(m, mi, SIGTERM); } diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 5ed71f0c5..5b9ce77fe 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1266,6 +1266,7 @@ tls_multi_init(struct tls_options *tls_options) /* get command line derived options */ ret->opt = *tls_options; + ret->dco_peer_id = -1; return ret; } diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 9aa28f1e5..78f9288e5 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -659,7 +659,14 @@ struct tls_multi /* Only used when DCO is used to remember how many keys we installed * for this session */ int dco_keys_installed; - bool dco_peer_added; + /** + * This is the handle that DCO uses to identify this session with the + * kernel. + * + * We keep this separate as the normal peer_id can change during + * p2p NCP and we need to track the id that is really used. + */ + int dco_peer_id; dco_context_t *dco; }; From patchwork Wed Oct 12 13:34:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2814 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.50]) by backend30.mail.ord1d.rsapps.net with LMTP id mFOGJKTCRmMHMAAAIUCqbw (envelope-from ) for ; Wed, 12 Oct 2022 09:35:32 -0400 Received: from proxy1.mail.iad3a.rsapps.net ([172.27.255.50]) by director7.mail.ord1d.rsapps.net with LMTP id iM9WJKTCRmPcFQAAovjBpQ (envelope-from ) for ; Wed, 12 Oct 2022 09:35:32 -0400 Received: from smtp18.gate.iad3a ([172.27.255.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.iad3a.rsapps.net with LMTPS id sBx6HaTCRmNVcQAA8TVjwQ (envelope-from ) for ; Wed, 12 Oct 2022 09:35:32 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp18.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: bdb708b2-4a32-11ed-8254-5254008b8116-1-1 Received: from [216.105.38.7] ([216.105.38.7:42514] helo=lists.sourceforge.net) by smtp18.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 1A/5D-24605-3A2C6436; Wed, 12 Oct 2022 09:35:31 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oibt6-0005A4-AU; Wed, 12 Oct 2022 13:35:08 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oibt4-00059m-5V for openvpn-devel@lists.sourceforge.net; Wed, 12 Oct 2022 13:35:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jViATnmjmKLvN30P00bOJ9IXLCbPFsndHf1BnOb9+/M=; b=iFhEG/T18TasaMbvpNtYAclWpk T28/6D0XCs3ipT8KeyYRTIa6PI0itlKlR03nsJANSLTRwVr1Ybp+xizYHrdft6gsdwpGwtoqtMFsJ Xl93KnjtrnebFm1C/lSbcEP/v1LQfuKlTk+1YAEawccYTyjXs2hBwOlJzOwtmRfVcz2Q=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=jViATnmjmKLvN30P00bOJ9IXLCbPFsndHf1BnOb9+/M=; b=EHbyaGdkfdf20U+coqd3/ddeq6 z9yTyqo0e5O+rHkxuwKqgWA4fMhQHfjZGXyqx3ILQXt2ZQpv+bFbIkTJKj870l5/dFUcZGm5Yfwp1 tH6ksyiY8BoEABPH3wJ3Fijkw5sGyV7M6qTHMSNYgJOc5cyBo+zcFBv/VUVRqpiKG+yw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oibt3-001AOn-2v for openvpn-devel@lists.sourceforge.net; Wed, 12 Oct 2022 13:35:06 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oibsv-0000gk-2d for openvpn-devel@lists.sourceforge.net; Wed, 12 Oct 2022 15:34:57 +0200 Received: (nullmailer pid 1927922 invoked by uid 10006); Wed, 12 Oct 2022 13:34:57 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 12 Oct 2022 15:34:56 +0200 Message-Id: <20221012133457.1927871-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221012133457.1927871-1-arne@rfc2549.org> References: <20221012133457.1927871-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This allows a reconnect in p2p mode and has the side effect of updating the peer address with the peerid Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 7 +++++++ 1 file changed, 7 insertions(+) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1oibt3-001AOn-2v Subject: [Openvpn-devel] [PATCH 3/3] Call dco_p2p_add_new_peer again if the peer id changes X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows a reconnect in p2p mode and has the side effect of updating the peer address with the peerid Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 8db4f2ce1..e56028c0c 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -150,6 +150,13 @@ check_dco_key_status(struct context *c) return; } + /* If the DCO peer id changed, we need to readd the peer */ + if (c->c2.tls_multi->dco_peer_id != -1 + && c->c2.tls_multi->peer_id != c->c2.tls_multi->dco_peer_id) + { + dco_p2p_add_new_peer(c); + } + dco_update_keys(&c->c1.tuntap->dco, c->c2.tls_multi); }