From patchwork Thu Nov 24 23:00:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2853 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id OEc4FsD3f2NBWwAAIUCqbw (envelope-from ) for ; Thu, 24 Nov 2022 18:01:20 -0500 Received: from proxy1.mail.ord1c.rsapps.net ([172.28.255.1]) by director13.mail.ord1d.rsapps.net with LMTP id 0DhZFsD3f2MmPAAA91zNiA (envelope-from ) for ; Thu, 24 Nov 2022 18:01:20 -0500 Received: from smtp21.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1c.rsapps.net with LMTPS id yN/CCMT3f2PjSQAA2VeTtA (envelope-from ) for ; Thu, 24 Nov 2022 18:01:24 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp21.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e82f25d0-6c4b-11ed-93b6-a0369f0d8808-1-1 Received: from [216.105.38.7] ([216.105.38.7:47770] helo=lists.sourceforge.net) by smtp21.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 33/59-05315-FB7FF736; Thu, 24 Nov 2022 18:01:19 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oyLD1-00062y-HR; Thu, 24 Nov 2022 23:00:43 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oyLD0-00062s-IX for openvpn-devel@lists.sourceforge.net; Thu, 24 Nov 2022 23:00:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=r5VVvRSGNXeSDJap+xYDSlGZ5gNUoy5mmGDOqELMNGg=; b=PY8ix/i1PuzgK4t6VO3LR5bsyE 8SB++k1aOezlzKcLslpbSxtzfXS0byDdgZvO9TDYiCEeiT3GXdyB7NBRzJ/qqdubkQj/m7ADoOL6p tDlH9KWPHFVcR7QobLQ1/cHdHp3ppSKYVBZf3SvBWZfn3ivbY/oQDqQXIRrIZU1VdPHI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=r5VVvRSGNXeSDJap+xYDSlGZ5gNUoy5mmGDOqELMNGg=; b=UuCjNpUIm/INxh8BjArCQHqicq YeiwxOZWsJyWw9OSa0WamUdf6lRQ6QMal8p6z4gKTzgzLgzSmFVawIzrEM5N+bDSoADeQBM8PAkB5 3XoGOt6OIZN+Dbvph9xP7byCrzZYMHLUWyL/p170oPotWWbYESnQ9Do+M+YHAdWjeEP4=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oyLCu-0003GX-Bc for openvpn-devel@lists.sourceforge.net; Thu, 24 Nov 2022 23:00:42 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oyLCj-0003cF-9Z for openvpn-devel@lists.sourceforge.net; Fri, 25 Nov 2022 00:00:25 +0100 Received: (nullmailer pid 3205154 invoked by uid 10006); Thu, 24 Nov 2022 23:00:25 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 25 Nov 2022 00:00:25 +0100 Message-Id: <20221124230025.3205108-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221012133457.1927871-1-arne@rfc2549.org> References: <20221012133457.1927871-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The lifetime and state machine of multi->peer_id does not exactly the lifetime/state of DCO. This is especially for p2p NCP where a reconnection can change the peer id. Also use this new field with va [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1oyLCu-0003GX-Bc Subject: [Openvpn-devel] [PATCH v2 2/3] Use dedicated multi->dco_peer_id for DCO instead of multi->peer_id X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The lifetime and state machine of multi->peer_id does not exactly the lifetime/state of DCO. This is especially for p2p NCP where a reconnection can change the peer id. Also use this new field with value -1 to mean not installed, replacing the dco_peer_added field. Patch v2: fix one comparison checking for 0 instead of -1 Signed-off-by: Arne Schwabe --- src/openvpn/dco.c | 24 ++++++++++++------------ src/openvpn/forward.c | 2 +- src/openvpn/init.c | 4 ++-- src/openvpn/multi.c | 8 ++++---- src/openvpn/ssl.c | 1 + src/openvpn/ssl_common.h | 9 ++++++++- 6 files changed, 28 insertions(+), 20 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index f190d038b..d83f24fef 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -55,7 +55,7 @@ dco_install_key(struct tls_multi *multi, struct key_state *ks, const char *ciphername) { - msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d", __func__, multi->peer_id, + msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d", __func__, multi->dco_peer_id, ks->key_id); /* Install a key in the PRIMARY slot only when no other key exist. @@ -69,7 +69,7 @@ dco_install_key(struct tls_multi *multi, struct key_state *ks, slot = OVPN_KEY_SLOT_SECONDARY; } - int ret = dco_new_key(multi->dco, multi->peer_id, ks->key_id, slot, + int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot, encrypt_key, encrypt_iv, decrypt_key, decrypt_iv, ciphername); @@ -133,7 +133,7 @@ dco_get_secondary_key(struct tls_multi *multi, const struct key_state *primary) void dco_update_keys(dco_context_t *dco, struct tls_multi *multi) { - msg(D_DCO_DEBUG, "%s: peer_id=%d", __func__, multi->peer_id); + msg(D_DCO_DEBUG, "%s: peer_id=%d", __func__, multi->dco_peer_id); /* this function checks if keys have to be swapped or erased, therefore it * can't do much if we don't have any key installed @@ -151,14 +151,14 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) { msg(D_DCO, "No encryption key found. Purging data channel keys"); - int ret = dco_del_key(dco, multi->peer_id, OVPN_KEY_SLOT_PRIMARY); + int ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_PRIMARY); if (ret < 0) { msg(D_DCO, "Cannot delete primary key during wipe: %s (%d)", strerror(-ret), ret); return; } - ret = dco_del_key(dco, multi->peer_id, OVPN_KEY_SLOT_SECONDARY); + ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_SECONDARY); if (ret < 0) { msg(D_DCO, "Cannot delete secondary key during wipe: %s (%d)", strerror(-ret), ret); @@ -184,7 +184,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) msg(D_DCO_DEBUG, "Swapping primary and secondary keys, now: id1=%d id2=%d", primary->key_id, secondary ? secondary->key_id : -1); - int ret = dco_swap_keys(dco, multi->peer_id); + int ret = dco_swap_keys(dco, multi->dco_peer_id); if (ret < 0) { msg(D_DCO, "Cannot swap keys: %s (%d)", strerror(-ret), ret); @@ -202,7 +202,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) /* if we have no secondary key anymore, inform DCO about it */ if (!secondary && multi->dco_keys_installed == 2) { - int ret = dco_del_key(dco, multi->peer_id, OVPN_KEY_SLOT_SECONDARY); + int ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_SECONDARY); if (ret < 0) { msg(D_DCO, "Cannot delete secondary key: %s (%d)", strerror(-ret), ret); @@ -465,7 +465,7 @@ dco_p2p_add_new_peer(struct context *c) return ret; } - c->c2.tls_multi->dco_peer_added = true; + c->c2.tls_multi->dco_peer_id = multi->peer_id; c->c2.link_socket->info.lsa->actual.dco_installed = true; return 0; @@ -479,10 +479,10 @@ dco_remove_peer(struct context *c) return; } - if (c->c1.tuntap && c->c2.tls_multi && c->c2.tls_multi->dco_peer_added) + if (c->c1.tuntap && c->c2.tls_multi && c->c2.tls_multi->dco_peer_id == -1) { - dco_del_peer(&c->c1.tuntap->dco, c->c2.tls_multi->peer_id); - c->c2.tls_multi->dco_peer_added = false; + dco_del_peer(&c->c1.tuntap->dco, c->c2.tls_multi->dco_peer_id); + c->c2.tls_multi->dco_peer_id = -1; } } @@ -585,7 +585,7 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi) return ret; } - c->c2.tls_multi->dco_peer_added = true; + c->c2.tls_multi->dco_peer_id = peer_id; if (c->mode == CM_CHILD_TCP) { diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 622be8411..8aef82606 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1731,7 +1731,7 @@ process_outgoing_link(struct context *c) if (should_use_dco_socket(c->c2.to_link_addr)) { size = dco_do_write(&c->c1.tuntap->dco, - c->c2.tls_multi->peer_id, + c->c2.tls_multi->dco_peer_id, &c->c2.to_link); } else diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 1b30c8f0a..0e4769775 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2151,14 +2151,14 @@ do_deferred_options_part2(struct context *c) && (c->options.ping_send_timeout || c->c2.frame.mss_fix)) { int ret = dco_set_peer(&c->c1.tuntap->dco, - c->c2.tls_multi->peer_id, + c->c2.tls_multi->dco_peer_id, c->options.ping_send_timeout, c->options.ping_rec_timeout, c->c2.frame.mss_fix); if (ret < 0) { msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s", - c->c2.tls_multi->peer_id, strerror(-ret)); + c->c2.tls_multi->dco_peer_id, strerror(-ret)); return false; } } diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index b9b087e01..bd823e81f 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2448,14 +2448,14 @@ multi_client_connect_late_setup(struct multi_context *m, if (mi->context.options.ping_send_timeout || mi->context.c2.frame.mss_fix) { int ret = dco_set_peer(&mi->context.c1.tuntap->dco, - mi->context.c2.tls_multi->peer_id, + mi->context.c2.tls_multi->dco_peer_id, mi->context.options.ping_send_timeout, mi->context.options.ping_rec_timeout, mi->context.c2.frame.mss_fix); if (ret < 0) { msg(D_DCO, "Cannot set parameters for DCO peer (id=%u): %s", - mi->context.c2.tls_multi->peer_id, strerror(-ret)); + mi->context.c2.tls_multi->dco_peer_id, strerror(-ret)); mi->context.c2.tls_multi->multi_state = CAS_FAILED; } } @@ -3226,8 +3226,8 @@ process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi, } /* When kernel already deleted the peer, the socket is no longer - * installed and we don't need to cleanup the state in the kernel */ - mi->context.c2.tls_multi->dco_peer_added = false; + * installed, and we do not need to clean up the state in the kernel */ + mi->context.c2.tls_multi->dco_peer_id = -1; mi->context.sig->signal_text = reason; multi_signal_instance(m, mi, SIGTERM); } diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index a73a2b714..818100c23 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1315,6 +1315,7 @@ tls_multi_init(struct tls_options *tls_options) /* get command line derived options */ ret->opt = *tls_options; + ret->dco_peer_id = -1; return ret; } diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 24d40ab83..e967970dd 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -661,7 +661,14 @@ struct tls_multi /* Only used when DCO is used to remember how many keys we installed * for this session */ int dco_keys_installed; - bool dco_peer_added; + /** + * This is the handle that DCO uses to identify this session with the + * kernel. + * + * We keep this separate as the normal peer_id can change during + * p2p NCP and we need to track the id that is really used. + */ + int dco_peer_id; dco_context_t *dco; };