From patchwork Sun Oct 16 15:49:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2819 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id YOCiCGAoTGP8TAAAIUCqbw (envelope-from ) for ; Sun, 16 Oct 2022 11:50:56 -0400 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id wD3/B2AoTGN4HwAApN4f7A (envelope-from ) for ; Sun, 16 Oct 2022 11:50:56 -0400 Received: from smtp7.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTPS id GL9rCGAoTGMZVAAAgKDEHA (envelope-from ) for ; Sun, 16 Oct 2022 11:50:56 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 51a3e880-4d6a-11ed-bfdf-525400d0c497-1-1 Received: from [216.105.38.7] ([216.105.38.7:34120] helo=lists.sourceforge.net) by smtp7.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 27/3A-20244-F582C436; Sun, 16 Oct 2022 11:50:55 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ok5u6-0000fF-ME; Sun, 16 Oct 2022 15:50:18 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ok5u4-0000f9-94 for openvpn-devel@lists.sourceforge.net; Sun, 16 Oct 2022 15:50:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ijDdCprUMVDTOL6kB+HCQxcmD18DL3wrGQL+iaN8M+s=; b=LYPk1OYWhg5mb8EbKPcPFE57n5 brSkkMAjr4ERCl2izVXbzCYNFnukudojG94axZci5X7vChPiy6LmipNJ/osOT+sG21FjPmThTO9sE Zolpt6iyuNCkEDjl0rUjHRCSN41MmWzTwqYWM1yauJFm99FjnGEvgA0hc4KlEKNi4fos=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ijDdCprUMVDTOL6kB+HCQxcmD18DL3wrGQL+iaN8M+s=; b=VLXbkEN5gTyieFSdzp1e8+1JVB YoK0VVduQ5Dev9n7z57sdJWOUfi4c8HhB60Gk9BzE+reDVueIyC/1zMj7dUnRByrsqnG/NnnpbeTs gVEgwv5MZa+wPSFt+c/j+sxLzOgl2yBpO6eQ/oZx3FVOVmHHP4K10TBCShcYHDNj93po=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1ok5tz-005zU0-00 for openvpn-devel@lists.sourceforge.net; Sun, 16 Oct 2022 15:50:16 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1ok5th-000Psh-Gu for openvpn-devel@lists.sourceforge.net; Sun, 16 Oct 2022 17:49:53 +0200 Received: (nullmailer pid 2483555 invoked by uid 10006); Sun, 16 Oct 2022 15:49:53 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 16 Oct 2022 17:49:53 +0200 Message-Id: <20221016154953.2483509-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From the implemention of explicit-notify and the fact that it is a an OCC message (basically the rudimentary predecessor to control channel), this message is very old. I think in the past this feature fit nicely to the weird inetd + openvpn mode that seems to have far to many hacks still left in our code. With inetd, it made sense that the server instance quits if y [...] Content analysis details: (1.5 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1ok5tz-005zU0-00 Subject: [Openvpn-devel] [PATCH v3] Change exit signal in P2P to be a SIGUSR1 and delay CC exit in P2MP X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From the implemention of explicit-notify and the fact that it is a an OCC message (basically the rudimentary predecessor to control channel), this message is very old. I think in the past this feature fit nicely to the weird inetd + openvpn mode that seems to have far to many hacks still left in our code. With inetd, it made sense that the server instance quits if you press C-c on the client. In our current state where inetd is no longer supported, this behaviour to exit makes little sense and this patch changes the behaviour to SIGUSR1. Testing this lead to a confused v2 of the patch and also finally the insight that if a CC channel exit is triggered too early the remaining control channel packets that come after that can trigger the HMAC code to open a sessions again if the whole session lasted less than two minutes (with default settings). Patch v2: use different signals for p2mp and p2p Patch v3: use dealyed exit for P2MP/CC exit and USR1 for everything else Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/occ.c | 2 +- src/openvpn/push.c | 20 +++++++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/src/openvpn/occ.c b/src/openvpn/occ.c index 1ed0d3771..eb1f2fae7 100644 --- a/src/openvpn/occ.c +++ b/src/openvpn/occ.c @@ -431,7 +431,7 @@ process_received_occ_msg(struct context *c) case OCC_EXIT: dmsg(D_PACKET_CONTENT, "RECEIVED OCC_EXIT"); - c->sig->signal_received = SIGTERM; + c->sig->signal_received = SIGUSR1; c->sig->signal_text = "remote-exit"; break; } diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 26259c6b8..d9fa64870 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -193,7 +193,25 @@ void receive_exit_message(struct context *c) { dmsg(D_STREAM_ERRORS, "Exit message received by peer"); - c->sig->signal_received = SIGTERM; + /* With control channel exit notification, we want the session to give + * enough time to handle retransmits and acknowledgment, so lat coming + * retries from the client to resend the exit or ACKs do not trigger + * a new session since we already killed it but the packet still has + * a valid HMAC. This can only happen for the period for the HMAC + * timeslot is still valid but waiting five seconds here does not + * hurt much and is the better alternative. + * + * This does not affect OCC exit since the HMAC session code will + * ignore DATA packets + * */ + if (c->options.mode == MODE_SERVER) + { + schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); + } + else + { + c->sig->signal_received = SIGUSR1; + } c->sig->signal_text = "remote-exit"; #ifdef ENABLE_MANAGEMENT if (management)