From patchwork Tue Dec 13 22:54:28 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2906
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:622a:418d:b0:3a5:7962:c21f with SMTP id
 cd13csp3026125qtb;
        Tue, 13 Dec 2022 14:55:28 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf4ozi+mp9xgzejZRGcp7ujTUFjMvvQ+l7GnHs4g0RwXPyAfEEbYtwxGmtFqYI3issiBXD5G
X-Received: by 2002:aa7:858a:0:b0:56e:705e:3608 with SMTP id
 w10-20020aa7858a000000b0056e705e3608mr21011951pfn.31.1670972128307;
        Tue, 13 Dec 2022 14:55:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670972128; cv=none;
        d=google.com; s=arc-20160816;
        b=T51h2MBfkLqHBIzVj8iqybzHtYxFT62eFqpKjzG108xhyLTvEKxU0NxZ1e39eU/PXr
         cyuqjDY9Po6QVbR0Mrg5PRIttvo3GlRx19Rsd9QFX8+NvoWhRVTMt3/R53gesmdVvf9J
         DS47S9XwGVL69AT4X3TfIRGh5HklkgWUOjOMTYh7atZX3xu0eEiaqmsA+Ls6QJdDvjNY
         iwdZ7zvEQ+CZ9ruldjlhi2SiBlaqAIiaI+8dipnpXIwGeJeuIYPhWEyI4JHUVPCZA8ny
         CUMw/L5SwJOdbtbRyuKMPOMTT7xiUI35rLRWQYKxoAoGgjVkFRdEIh2BYOjgKwGeyozl
         WSPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:message-id:date:to:from:dkim-signature:dkim-signature;
        bh=/zUzi2kY6b4e7n/RZxHe4OrP/i84Pb9OyNVlzzotRc0=;
        b=LeDqED3S3Q9J4SxXOr16U+JUTP09b2hTOle7xWZSEy/kkFQADqFspb6fRJCLuYUEDc
         C5oYDCcxoFzS7HwC/MLLMPzls2YjYU1pGpye7AFM7N2dlB2wFPHN2uGbgp07S7F8pd9l
         XOp5S7V51LCkKFJnoKCGusrup6h8qUYxqST5Aj7tdYvVKP8UFDRwjHCN+eY2l2eKgHbv
         WOQDXp5mdHFLZO6eAP4xq0LRGlWbXMWxZR6T6AwaoIcU183wr8bcBWzTip3HI5zaLu76
         5TFDxPE9VQcs8VB/6QvGgbitHstJrFEpHwOSs/zcTdqiUBdGvP4ogsyuPwXqSLLL9S03
         zIVQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=LzNeJfUq;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Guj2DPeM;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 a2-20020aa79702000000b0056aff71af29si13062894pfg.209.2022.12.13.14.55.28
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 13 Dec 2022 14:55:28 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=LzNeJfUq;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Guj2DPeM;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p5EAZ-0002g0-U4;
	Tue, 13 Dec 2022 22:54:39 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p5EAY-0002ft-Fg
 for openvpn-devel@lists.sourceforge.net;
 Tue, 13 Dec 2022 22:54:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=2AXmbGMUDXvGhr5YMHtxYN19VsPKAq1cAjHynTVCTAY=; b=LzNeJfUqEABxDTwq4WR+bG4MKH
 oXx8SFJ6jXCWd6gkLyXaQgIzQOxGxNhqAPyhB38Bow8FMb/+thfyYU+HrbIupnB3gYF4Xp46T8tIj
 yTjohYVSB9ZT7cBLkpNn1I7cVO2ijaS00ODKgsIVOnc8B7wNuKl7ECIUyPZiSiClO/wU=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From:
 Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=2AXmbGMUDXvGhr5YMHtxYN19VsPKAq1cAjHynTVCTAY=; b=G
 uj2DPeMsMYPp+7BLbL7T9YGnYGVBZ27lvNYlNCMR3ATJmzyoIF2Y8S9/lh8P1fPBXpNKu5KQ3QkD5
 7OQ1ae2nXWmkwlp/NoFJBx9wi8Bm7dAXUVXJOj3/U1ZWlDQDnpjJ/HZTrb2lruiC7y/TJ8BujN6X/
 bU7IHKU3xebbYbLc=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p5EAX-00GILw-TP for openvpn-devel@lists.sourceforge.net;
 Tue, 13 Dec 2022 22:54:38 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p5EAQ-0009ly-Em
 for openvpn-devel@lists.sourceforge.net;
 Tue, 13 Dec 2022 23:54:30 +0100
Received: (nullmailer pid 1892986 invoked by uid 10006);
 Tue, 13 Dec 2022 22:54:30 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 13 Dec 2022 23:54:28 +0100
Message-Id: <20221213225430.1892940-1-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Signed-off-by: Arne Schwabe <arne@rfc2549.org> ---
 src/openvpn/dco.c
 | 18 ++++++++++++++---- src/openvpn/dco_linux.c | 10 ++++++++-- 2 files
 changed, 22 insertions(+),
 6 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
 index feb38cd02..2396bcbf0 100644 --- a/src/openvpn/dco.c +++
 b/src/openvpn/dco.c
 @@ -55,8 +55,8 @@ dco_install_key(struct tls_multi *multi, struct k [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
X-Headers-End: 1p5EAX-00GILw-TP
Subject: [Openvpn-devel] [PATCH 1/3] Improve debug logging of DCO swap key
 message and Linux dco_new_peer
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1752141270420864169?=
X-GMAIL-MSGID: =?utf-8?q?1752141270420864169?=

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
---
 src/openvpn/dco.c       | 18 ++++++++++++++----
 src/openvpn/dco_linux.c | 10 ++++++++--
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index feb38cd02..2396bcbf0 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -55,8 +55,8 @@ dco_install_key(struct tls_multi *multi, struct key_state *ks,
                 const char *ciphername)
 
 {
-    msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d", __func__, multi->dco_peer_id,
-        ks->key_id);
+    msg(D_DCO_DEBUG, "%s: peer_id=%d keyid=%d, currently installed %d",
+        __func__, multi->dco_peer_id, ks->key_id, multi->dco_keys_installed);
 
     /* Install a key in the PRIMARY slot only when no other key exist.
      * From that moment on, any new key will be installed in the SECONDARY
@@ -181,8 +181,18 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
      */
     if (primary->dco_status == DCO_INSTALLED_SECONDARY)
     {
-        msg(D_DCO_DEBUG, "Swapping primary and secondary keys, now: id1=%d id2=%d",
-            primary->key_id, secondary ? secondary->key_id : -1);
+        if (secondary)
+        {
+            msg(D_DCO_DEBUG, "Swapping primary and secondary keys to "
+                "primary-id=%d secondary-id=%d",
+                primary->key_id, secondary->key_id);
+        }
+        else
+        {
+            msg(D_DCO_DEBUG, "Swapping primary and secondary keys to"
+                "primary-id=%d secondary-id=(to be deleted)",
+                primary->key_id);
+        }
 
         int ret = dco_swap_keys(dco, multi->dco_peer_id);
         if (ret < 0)
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 109358205..fbd940c28 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -216,9 +216,15 @@ dco_new_peer(dco_context_t *dco, unsigned int peerid, int sd,
              struct sockaddr *localaddr, struct sockaddr *remoteaddr,
              struct in_addr *remote_in4, struct in6_addr *remote_in6)
 {
-    msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d", __func__, peerid, sd);
-
     struct gc_arena gc = gc_new();
+    const char *remotestr = "[undefined]";
+    if (remoteaddr)
+    {
+        remotestr = print_sockaddr(remoteaddr, &gc);
+    }
+    msg(D_DCO_DEBUG, "%s: peer-id %d, fd %d, remote addr: %s", __func__,
+        peerid, sd, remotestr);
+
     struct nl_msg *nl_msg = ovpn_dco_nlmsg_create(dco, OVPN_CMD_NEW_PEER);
     struct nlattr *attr = nla_nest_start(nl_msg, OVPN_ATTR_NEW_PEER);
     int ret = -EMSGSIZE;

From patchwork Tue Dec 13 22:54:29 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2904
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:622a:418d:b0:3a5:7962:c21f with SMTP id
 cd13csp3026121qtb;
        Tue, 13 Dec 2022 14:55:28 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf6vAiohqpIdl9qEM3CQh+YrVCV229A7mwVKxhfWKBmOExvbtGaLebZS9xglmnjWJEj/9n6t
X-Received: by 2002:a17:90a:4f0a:b0:219:49d9:ebda with SMTP id
 p10-20020a17090a4f0a00b0021949d9ebdamr23226496pjh.48.1670972128003;
        Tue, 13 Dec 2022 14:55:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670972127; cv=none;
        d=google.com; s=arc-20160816;
        b=zPn6DgkvjEIO/QjqQKzw+djHL2qfzlv0mMGSO9SzpUzAXO+WzBY+cg3RTRTDR3aa/5
         lYYn2talTXxj/e0bD9yxdB20qFKfRc8utlgijp3c6R90brYhTQX1SP/P20iVZQ/GS8CP
         Xo3u8MRtwBvjla5mO26ouQKY+Pucf0bh/mLmkpqjeNzClVGL6+gO9XXB2jVCB5/OM99K
         ZHbYDK8ky8NCKnQFaIG/i4ExCILM+09ol3VoFDH4zgAfXrrt6wSH8zKtFqNCgV0uDOHi
         qUBBP/cE2J1q0znEm+wN/Ln46mSut97flDswCVVpzDLpbAm7vPUSbaRgTkjtcnCB8G3f
         CAlw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=uTqwFD+59R4P10rb9/JSxFXue/tQIOGb+oEG5vGj/C0=;
        b=YnOd/2hMgqAvVaoXEMZcU+dCqasCmfdr1ju8I8hFEFEbDhxrmd5adsgQmGkOO5GPDL
         yQG3HaZy4kQiSnqa/AdgyCsv+3UdUjgTKnbHXKqFBCGEYUEHEJtiskU8CIWB05Hn3S6J
         ai6OxoZZ7dm4NaxZGX2oTD10KhrnzaBS35eGKjZXv0KvMPJ8mI4T3UrA2+8uOejWjB++
         NmfyvrVBcYIe1WHrb+K5/jZU7SeZEWPq7Dn82H1IDjyEBv0t0VbuLVzkMFwHa3mpwRk8
         BuyDqhNk2dIB9oSoKdI5shLfhsZz/thilEuva1N678g3CklNnrY72ThSDzaq/YxbDkNw
         JAGw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=LGPNcvYp;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=L1iRTNNI;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 t9-20020a17090a3e4900b0020b2101908asi210535pjm.16.2022.12.13.14.55.27
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 13 Dec 2022 14:55:27 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=LGPNcvYp;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=L1iRTNNI;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p5EAd-0000OY-QS;
	Tue, 13 Dec 2022 22:54:43 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p5EAc-0000OR-85
 for openvpn-devel@lists.sourceforge.net;
 Tue, 13 Dec 2022 22:54:42 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=Zq4Lhk2SAsTWFtFoDp3QVZ7RdcFfL3rozIacVaiLlts=; b=LGPNcvYp2JX1XR9eQjl9/h1QPC
 W+xg/z8F/OplEZjVGQN0gcHJ0KmBO/K80WYsFCeop+UYmU23YsuE3uI12qQM2t3/3oX3EuHATKIaR
 ud85SMtTQNxDheLEZNyNM3Cld3VfaJ+/pWRWVTxkziOK9U7MOVsAmo0PUuAp0pimyevk=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=Zq4Lhk2SAsTWFtFoDp3QVZ7RdcFfL3rozIacVaiLlts=; b=L1iRTNNIx79KExpa+Aji7Trn5N
 TgogUaAIMp5TA5xCWodet5eO1SXYjqWjczKsZb8Ll+aOfyBZhMrCuLE+6QMei8zji/H3L4Nmk2qj2
 Eoepq22Ss+5SXWZCdl4X+1g7oGPj3UTkRE1SDurADLcYDhJjgrm+XBVw9TAOxfO+KgsY=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p5EAb-0007Ro-K9 for openvpn-devel@lists.sourceforge.net;
 Tue, 13 Dec 2022 22:54:42 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p5EAQ-0009m0-Fg
 for openvpn-devel@lists.sourceforge.net;
 Tue, 13 Dec 2022 23:54:30 +0100
Received: (nullmailer pid 1892991 invoked by uid 10006);
 Tue, 13 Dec 2022 22:54:30 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 13 Dec 2022 23:54:29 +0100
Message-Id: <20221213225430.1892940-2-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221213225430.1892940-1-arne@rfc2549.org>
References: <20221213225430.1892940-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  When dco_update_keys fails, we are in some weird state that
 we are unlikely to recover since what userspace and kernel space think of
 the keys is very likely to not in sync anymore. So abandon the con [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
X-Headers-End: 1p5EAb-0007Ro-K9
Subject: [Openvpn-devel] [PATCH 2/3] Trigger a USR1 if dco_update_keys fails
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1752141270178324791?=
X-GMAIL-MSGID: =?utf-8?q?1752141270178324791?=

When dco_update_keys fails, we are in some weird state that we are
unlikely to recover since what userspace and kernel space think of
the keys is very likely to not in sync anymore. So abandon the
connection if this happens.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
---
 src/openvpn/dco.c     | 15 ++++++++-------
 src/openvpn/dco.h     |  9 ++++++---
 src/openvpn/forward.c |  7 ++++++-
 3 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 2396bcbf0..36bfbf10a 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -130,7 +130,7 @@ dco_get_secondary_key(struct tls_multi *multi, const struct key_state *primary)
     return NULL;
 }
 
-void
+bool
 dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
 {
     msg(D_DCO_DEBUG, "%s: peer_id=%d", __func__, multi->dco_peer_id);
@@ -140,7 +140,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
      */
     if (multi->dco_keys_installed == 0)
     {
-        return;
+        return true;
     }
 
     struct key_state *primary = tls_select_encryption_key(multi);
@@ -155,18 +155,18 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
         if (ret < 0)
         {
             msg(D_DCO, "Cannot delete primary key during wipe: %s (%d)", strerror(-ret), ret);
-            return;
+            return false;
         }
 
         ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_SECONDARY);
         if (ret < 0)
         {
             msg(D_DCO, "Cannot delete secondary key during wipe: %s (%d)", strerror(-ret), ret);
-            return;
+            return false;
         }
 
         multi->dco_keys_installed = 0;
-        return;
+        return true;
     }
 
     /* if we have a primary key, it must have been installed already (keys
@@ -198,7 +198,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
         if (ret < 0)
         {
             msg(D_DCO, "Cannot swap keys: %s (%d)", strerror(-ret), ret);
-            return;
+            return false;
         }
 
         primary->dco_status = DCO_INSTALLED_PRIMARY;
@@ -216,7 +216,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
         if (ret < 0)
         {
             msg(D_DCO, "Cannot delete secondary key: %s (%d)", strerror(-ret), ret);
-            return;
+            return false;
         }
         multi->dco_keys_installed = 1;
     }
@@ -230,6 +230,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
             ks->dco_status = DCO_NOT_INSTALLED;
         }
     }
+    return true;
 }
 
 static bool
diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h
index e051db068..7e1febaa3 100644
--- a/src/openvpn/dco.h
+++ b/src/openvpn/dco.h
@@ -164,9 +164,11 @@ int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks,
  *
  * @param dco           DCO device context
  * @param multi         TLS multi instance
+ *
+ * @return              returns false if an error occurred that is not
+ *                      recoverable and should reset the connection
  */
-void dco_update_keys(dco_context_t *dco, struct tls_multi *multi);
-
+bool dco_update_keys(dco_context_t *dco, struct tls_multi *multi);
 /**
  * Install a new peer in DCO - to be called by a CLIENT (or P2P) instance
  *
@@ -304,10 +306,11 @@ init_key_dco_bi(struct tls_multi *multi, struct key_state *ks,
     return 0;
 }
 
-static inline void
+static inline bool
 dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
 {
     ASSERT(false);
+    return false;
 }
 
 static inline int
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 5cd7eaa6e..8c1e49a34 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -151,7 +151,12 @@ check_dco_key_status(struct context *c)
         return;
     }
 
-    dco_update_keys(&c->c1.tuntap->dco, c->c2.tls_multi);
+    if (!dco_update_keys(&c->c1.tuntap->dco, c->c2.tls_multi))
+    {
+        /* Something bad happened. Kill the connection to
+         * be able to recover. */
+        register_signal(c, SIGUSR1, "dco update keys error");
+    }
 }
 
 /*

From patchwork Tue Dec 13 22:54:30 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2905
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:622a:418d:b0:3a5:7962:c21f with SMTP id
 cd13csp3026123qtb;
        Tue, 13 Dec 2022 14:55:28 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf56jBRSrRYCLeSUt5RvWdYr0too89Lxxp5DRtiKSYsp4Onxe23S74UVj3hRJ/Mvav4v3sMB
X-Received: by 2002:a05:6a20:94c8:b0:a7:9f6:b7a3 with SMTP id
 ht8-20020a056a2094c800b000a709f6b7a3mr29242215pzb.12.1670972128284;
        Tue, 13 Dec 2022 14:55:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670972128; cv=none;
        d=google.com; s=arc-20160816;
        b=wPB9hfKbGvL5CfrmOT9VFhmuQqGP29rzBAwGykVc8RTfiJVQtRonbDhMocuRea3v/N
         lOAZ2XPNcSrN+aAP26i8pY2PEKvZ5AZPC77Y4hkWRJE5tCtwEIrlOgf63fZ81kyNZu1+
         D19Zr81g+T/TVjhBQF5zCwVV/pV5rcLsgrwVtfZOSEIkE1MpzrRheb2nEWCb1Vz0iq6m
         rgn5I+JfmuSbJ00mqta/bVXjps96+87ZC3FAmcV6pAWZ7/+0vkvb7ZshVHMlmOAlrl8p
         KLeRsyaSbEqerC8Rorqhcpk3SXOed7roBYj7Fx7ox8qOlWCbNfy1vqrZoxcYKrfh+n4G
         PxzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=B0fRQLfE6TIjF6eYioDmauvLivs3bgRGMA6hGm1NuaA=;
        b=soe9MwDYkYJg7edUYz2WMQ6Vp/XNPeSDD1wPKWe0EbAeNpfxmx7K82eSTdN4i6I0kw
         dDU051y2uu1WXYNJ0DdOEvRNCncTEXfAHuwf+KzJoK4j2TTRqbFH8toMp6/JMLxif6Pw
         IlEXKYQUGGpJGJ2B3zf5WIXqZi/zSqEj7lnpqPcmq7ASTOaRQRKiyN57ahL85ZoYXLMv
         Q3UPD3Gf80uuFB80szAq2gzkkkEYWrDtbndxVK2pUrICqszmBjNURPNVKpFkYYVYyLLY
         sKprlF8E4kFlb3+OidMIw3LLZ/elETmjBL6HhZ1GzrGqopptkeGbU9wJC+GVHAXQIprb
         b5VA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=beLS8Brd;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=AUIKJtsP;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 s7-20020a639247000000b00477b371dc7bsi12248781pgn.536.2022.12.13.14.55.28
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 13 Dec 2022 14:55:28 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=beLS8Brd;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=AUIKJtsP;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p5EAb-0005Ze-02;
	Tue, 13 Dec 2022 22:54:41 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p5EAY-0005ZN-G5
 for openvpn-devel@lists.sourceforge.net;
 Tue, 13 Dec 2022 22:54:39 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=iYm5QLApqT/8g3mjLv8KStl04h0rikBRArlOPFG4/g8=; b=beLS8Brdi07PDo1RNts9f2Izoa
 FtQvaDkby+TwfdZahCl+h4mDFo5ARaILE9n87Glyg1nBT1+We8U3kkoOdcUHRtE8K/Bhtyf2NVWgK
 buQr42Ti3EmS95ctd71Xs8Rezs0i1hfvsvUzyfWRjsbYAGbDSGeJBIege+LQkn27E3HQ=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=iYm5QLApqT/8g3mjLv8KStl04h0rikBRArlOPFG4/g8=; b=AUIKJtsPGZ54rvhZFdIEDNH9BK
 zY50Xr+xV4FBUU7reMaz5w4qpB5E6PwBq2gc0HHLxzQ7q248RJIR/ieJTk1FJZTSrzwZAejqIPAYc
 HyCETXqSAVuJQlEuzwUVyhvaTO0Ntj4GW/GecET0b/9N3a7Pptm/fN/2DtLpCHlApAfE=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p5EAX-00GILv-TJ for openvpn-devel@lists.sourceforge.net;
 Tue, 13 Dec 2022 22:54:38 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p5EAQ-0009m2-GT
 for openvpn-devel@lists.sourceforge.net;
 Tue, 13 Dec 2022 23:54:30 +0100
Received: (nullmailer pid 1892993 invoked by uid 10006);
 Tue, 13 Dec 2022 22:54:30 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 13 Dec 2022 23:54:30 +0100
Message-Id: <20221213225430.1892940-3-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221213225430.1892940-1-arne@rfc2549.org>
References: <20221213225430.1892940-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: We have 6 key slots but normally only consider 3 of them to
 be active/valid keys. Especially the secondary key of TM_LAME_DUCK can in
 rare corner cases have a key that is still installed in the kernel [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
X-Headers-End: 1p5EAX-00GILv-TJ
Subject: [Openvpn-devel] [PATCH 3/3] Set DCO_NOT_INSTALLED also for keys not
 in the get_key_scan range
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1752141270618033569?=
X-GMAIL-MSGID: =?utf-8?q?1752141270618033569?=

We have 6 key slots but normally only consider 3 of them to be
active/valid keys. Especially the secondary key of TM_LAME_DUCK can
in rare corner cases have a key that is still installed in the kernel.

While this should not cause any issues since I do not see way for this
key to become active ever again, it is better to keep the state correctly.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
---
 src/openvpn/dco.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 36bfbf10a..20196fe5d 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -221,13 +221,17 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
         multi->dco_keys_installed = 1;
     }
 
-    /* all keys that are not installed are set to NOT installed */
-    for (int i = 0; i < KEY_SCAN_SIZE; ++i)
+    /* all keys that are not installed are set to NOT installed. Include also
+     * keys that might even be considered as active keys to be sure*/
+    for (int i = 0; i < TM_SIZE; ++i)
     {
-        struct key_state *ks = get_key_scan(multi, i);
-        if (ks != primary && ks != secondary)
+        for (int j = 0; j < KS_SIZE; j++)
         {
-            ks->dco_status = DCO_NOT_INSTALLED;
+            struct key_state *ks = &multi->session[i].key[j];
+            if (ks != primary && ks != secondary)
+            {
+                ks->dco_status = DCO_NOT_INSTALLED;
+            }
         }
     }
     return true;