From patchwork Sat Dec 24 19:42:45 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2941
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133867dyk;
        Sat, 24 Dec 2022 11:43:57 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXv0tL+MJMB5ep1qQOPnFp6BjRgyKzrNcPDE6XeJ7m5CL+yRm/qX4CN+1WJEfSy42enkRPFu
X-Received: by 2002:aa7:9254:0:b0:572:6e9b:9f9e with SMTP id
 20-20020aa79254000000b005726e9b9f9emr15738692pfp.19.1671911037534;
        Sat, 24 Dec 2022 11:43:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671911037; cv=none;
        d=google.com; s=arc-20160816;
        b=H2cRC2Z+n81NZRvfmfC56n6Poh6/YMamN1eG6IdLfTsoTts4d6YteyjjNMMdUKV2u6
         ZjMfu6j0NxtAZ84kD3L/9bKYbPveqICa+NvE+9zLwbO1PdwUVcqFW5/lazTXxj8f86v2
         wqK9wGSW+DY1NvEyeMfqUGEoQ1ubf14FiBo93jwneJ+JAB2EpQq+udQycWQmEmegCsaP
         ZXxawLacDCMWlBof9h86wTIHkLCG3p0XKLnXIgdViCxsBidqo43eYrhnU0YpCeO2vvg4
         UCfQVAnz4z50AkCI9U6u7jmQ6g0XaYLygGgHE0RMZ8SppZukNrKHh9A7Oe9+6mx5wPu1
         6LHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=k3ODGK2h+/TwvyVZiJP6SQVWEg49wNCBcB5AJ3X+Qkw=;
        b=KS8JFFU67TIn7wv5JM8oUjm3qjuj0KAXbmAvLZiFGtYrAlk3WCu6bKAtP4YBDp/SEs
         gINFndusR2fuj+h7vvD76DRyKS9oYwtJdaBlhuV7tU1jDfFIPez2tbgI+/EpcaJoj48L
         3rK3LCtyidrcrttux88DjXqeki3dbVAtyU1SRAXfAPyr0foQy737tlfneMPTSECz0hNk
         VWS9yByjCWaF1meAIYaoIlOuthFuvyrFcyZa6O22agod2WpUXFdNByAhH4Qs7v1L7cYf
         Bcj4kaqLPDEWDVWzlc30C+mmuXSawjYkZkoHgdP3sxW2FrmUMyL5P7NLqufteVV9N7iX
         LJ0w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=k6ENXjo6;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=b78mOQ+V;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 z25-20020a056a001d9900b005739d652a89si6713434pfw.223.2022.12.24.11.43.57
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 24 Dec 2022 11:43:57 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=k6ENXjo6;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=b78mOQ+V;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p9AQH-0000C0-RL;
	Sat, 24 Dec 2022 19:43:09 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQC-0000BS-50
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:04 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=ODybFQR/cjdWTDOyqq/UHxd2PmW4/HWhMrp5VrfNyRg=; b=k6ENXjo6B8d617gMvK66UKqdWy
 /VFw1ljEok71IBJr84K+bkNk7hJBKseGgN0ufZs3Kd6sVnVv3k1rX8KAJdXImFNzXwnoRvaCDgSPs
 hDdp2FOwA7PJqMe2MsmiV2wdzS6sG2ofQxg6FTI50k5HWFj5Yi17r/LrfhZnEASzPWQs=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=ODybFQR/cjdWTDOyqq/UHxd2PmW4/HWhMrp5VrfNyRg=; b=b78mOQ+V+yBgpJ83D4XHZvaDbo
 Yd9AFuCoDj0DAdXDOH+ezBt2SjWMJlrOwh8sDh4yvg2UZ9ihpvLsaiainR9+DE9PW7WmKTtGL5470
 bXl+jdJ+xy7MGELX6P9TBPegw0ElbYOdS4ycQa0Xhgxysr0Y30BAPOJnKMmslT+JazgQ=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p9AQA-0000xh-MI for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:04 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQ1-000H1X-LB
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 20:42:53 +0100
Received: (nullmailer pid 3202280 invoked by uid 10006);
 Sat, 24 Dec 2022 19:42:53 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 24 Dec 2022 20:42:45 +0100
Message-Id: <20221224194253.3202231-2-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221224194253.3202231-1-arne@rfc2549.org>
References: <20221224194253.3202231-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Signed-off-by: Arne Schwabe <arne@rfc2549.org> ---
 src/openvpn/ssl.c
 | 16 ++++++++-------- src/openvpn/ssl.h | 2 +- src/openvpn/ssl_common.h |
 2 +- 3 files changed, 10 insertions(+),
 10 deletions(-) diff --git a/src/openvpn/ssl.c
 b/src/openvpn/ssl.c index 9e5480528..a5fb4fd22 100644 --- a/src/openvpn/ssl.c
 +++ b/src/openvpn/ssl.c @@ -890,8 +890,8 @@ session_index_name(int index)
 case TM_ACTIVE: r [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1p9AQA-0000xh-MI
Subject: [Openvpn-devel] [PATCH 1/9] Rename TM_UNTRUSTED to TM_INITIAL
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1753125788198331354?=
X-GMAIL-MSGID: =?utf-8?q?1753125788198331354?=

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/ssl.c        | 16 ++++++++--------
 src/openvpn/ssl.h        |  2 +-
 src/openvpn/ssl_common.h |  2 +-
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9e5480528..a5fb4fd22 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -890,8 +890,8 @@ session_index_name(int index)
         case TM_ACTIVE:
             return "TM_ACTIVE";
 
-        case TM_UNTRUSTED:
-            return "TM_UNTRUSTED";
+        case TM_INITIAL:
+            return "TM_INITIAL";
 
         case TM_LAME_DUCK:
             return "TM_LAME_DUCK";
@@ -1330,7 +1330,7 @@ tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
 
     if (!multi->opt.single_session)
     {
-        tls_session_init(multi, &multi->session[TM_UNTRUSTED]);
+        tls_session_init(multi, &multi->session[TM_INITIAL]);
     }
 }
 
@@ -3250,7 +3250,7 @@ tls_multi_process(struct tls_multi *multi,
     if (multi->multi_state >= CAS_CONNECT_DONE)
     {
         /* Only generate keys for the TM_ACTIVE session. We defer generating
-         * keys for TM_UNTRUSTED until we actually trust it.
+         * keys for TM_INITIAL until we actually trust it.
          * For TM_LAME_DUCK it makes no sense to generate new keys. */
         struct tls_session *session = &multi->session[TM_ACTIVE];
         struct key_state *ks = &session->key[KS_PRIMARY];
@@ -3299,9 +3299,9 @@ tls_multi_process(struct tls_multi *multi,
      * verification failed.  A semi-trusted session can forward data on the
      * TLS control channel but not on the tunnel channel.
      */
-    if (TLS_AUTHENTICATED(multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY]))
+    if (TLS_AUTHENTICATED(multi, &multi->session[TM_INITIAL].key[KS_PRIMARY]))
     {
-        move_session(multi, TM_ACTIVE, TM_UNTRUSTED, true);
+        move_session(multi, TM_ACTIVE, TM_INITIAL, true);
         msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted",
             tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
 
@@ -3720,7 +3720,7 @@ tls_pre_decrypt(struct tls_multi *multi,
             print_link_socket_actual(from, &gc));
 
         new_link = true;
-        i = TM_UNTRUSTED;
+        i = TM_INITIAL;
         session->untrusted_addr = *from;
     }
     else
@@ -3731,7 +3731,7 @@ tls_pre_decrypt(struct tls_multi *multi,
         /*
          * Packet must belong to an existing session.
          */
-        if (i != TM_ACTIVE && i != TM_UNTRUSTED)
+        if (i != TM_ACTIVE && i != TM_INITIAL)
         {
             msg(D_TLS_ERRORS,
                 "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 55c672d44..bd27e57a0 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -159,7 +159,7 @@ struct tls_multi *tls_multi_init(struct tls_options *tls_options);
  * @ingroup control_processor
  *
  * This function initializes the \c TM_ACTIVE \c tls_session, and in
- * server mode also the \c TM_UNTRUSTED \c tls_session, associated with
+ * server mode also the \c TM_INITIAL \c tls_session, associated with
  * this \c tls_multi structure.  It also configures the control channel's
  * \c frame structure based on the data channel's \c frame given in
  * argument \a frame.
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 978a9fca0..7d9c2460b 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -512,7 +512,7 @@ struct tls_session
  *
  *  @{ */
 #define TM_ACTIVE    0          /**< Active \c tls_session. */
-#define TM_UNTRUSTED 1          /**< As yet un-trusted \c tls_session
+#define TM_INITIAL   1          /**< As yet un-trusted \c tls_session
                                  *   being negotiated. */
 #define TM_LAME_DUCK 2          /**< Old \c tls_session. */
 #define TM_SIZE      3          /**< Size of the \c tls_multi.session

From patchwork Sat Dec 24 19:42:46 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2938
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133668dyk;
        Sat, 24 Dec 2022 11:43:29 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXt8iWRSGUhx6ILeZxdfI+ccU5+Wut+6pzdQM+/hHJmozgTVMsdFyejbak9YhIVObezFbGML
X-Received: by 2002:a17:90a:6a8f:b0:223:1e7d:67e8 with SMTP id
 u15-20020a17090a6a8f00b002231e7d67e8mr16247517pjj.16.1671911009095;
        Sat, 24 Dec 2022 11:43:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671911009; cv=none;
        d=google.com; s=arc-20160816;
        b=t+0FIyYq1ZUAdEIyWJmzv0zZNL26Mg+bkDQmXTJXiA9vQYWpU3Mcva3dScA3F/aUnR
         0SIlBFjmjDKYJpiuHBHr+ftnYjSLBPoHk5nmIlPanLVWjoHCp2Mq6mp+OiiYrQ3PHD7P
         qkO8vDMjcJis+V0AD89QRPyqpGfwLSNb/peWr/6ROPceNeq6jqUiXTTYV+a4vRoEN8+O
         UqQUeou8S2M0PLy67xTPPTMmxsJaDRPMFmQki3L17c+GbJgIiIP+X+WUPcg85E2NipQQ
         a9Fh+l4IaXgs84ymzIQxGADnIUDig/iSu/2BSVSBnbr5khgFHj7zt3P/J/v4W4JKfUNU
         wuZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=ab1tZojBytOGFuGz4ysXp7qwhW+8ZfYHAyf29RMVyZs=;
        b=Y2HJUVVkdrlYQ/xtCMdE9YiW9G2qU6Gzn2wZpMJd/RLQWl5M7M7FP3CUr3sII0jZ62
         ciZZkRAbMOrt2lPPmnCFBGfxFdyWj3n2equpXRYhnBWff+nDkb6phJeB9pisMiRqrwFD
         tDOgp6gm0o/2ueAf4XKC0h9bb6sLK9sXmZSGHhxSfA2Ow/4pyQkrQXvg2++vIxYEnPBn
         P5aVxifFCxDwUVpM8q7vQFaTkfJExNejnVq/dzF3kiI4M4YFm9t7YDTFUi1Rfwlw7mme
         7pzdGepQeBVFYoo4zcuqCJPUz7irI5dLPe+cdEKPYIcF0NoTY/H8Jovircz1szzvkCv9
         AoKg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=PBwtso1w;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=LIOgeEkP;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 v15-20020a17090a898f00b00223facc5d2csi6748810pjn.162.2022.12.24.11.43.28
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 24 Dec 2022 11:43:29 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=PBwtso1w;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=LIOgeEkP;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p9AQK-0000CM-18;
	Sat, 24 Dec 2022 19:43:12 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQF-0000Bk-Gj
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:07 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=T1u4ATUC1Ha1V6sRxHMFaVRpAFmxATFAjBtfJXKicU8=; b=PBwtso1wVPWQVVKC4wp4kUDD7f
 LQ3ZwvAkoIKDAurQbKi7Q+5ngKlwS2/X5rcm5QhLpnwIglPizwnMbXdpGFmvDtxJK8sA2+UhmcGPN
 wwaFK/Sjjb6YeVP2jvLOwFB3zZEbXQ2XDGxkUJfDdY0s4O4HmescOTHf/G0r82/dogb4=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=T1u4ATUC1Ha1V6sRxHMFaVRpAFmxATFAjBtfJXKicU8=; b=LIOgeEkPe4mW1Kx7QIEzkC1dGY
 GkJzLY9sJKKB+Diz+LxAti5wyxWnNWXDgjBgb4uGwpgAOF/+NbW1Zi4fdRmRdLFrZnuJCNpk7SomX
 vqc1ekMmOFCqunFEwU7Y73n/A+VDsYfQV6Cm/4ClOyVXm35LJOh9dVN5CmDDLfMn3b6I=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p9AQE-00BPfO-DA for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:07 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQ1-000H1V-KT
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 20:42:53 +0100
Received: (nullmailer pid 3202282 invoked by uid 10006);
 Sat, 24 Dec 2022 19:42:53 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 24 Dec 2022 20:42:46 +0100
Message-Id: <20221224194253.3202231-3-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221224194253.3202231-1-arne@rfc2549.org>
References: <20221224194253.3202231-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Currently we start new session in TM_ACTIVE or TM_INITIAL
 depending if we already have an active session in TM_ACTIVE or not. With this
 change, all session will be started in TM_INITIAL both initiated by a peer
 but also session by ourselves. This simplifies state transitions and
 eliminates the wacky state transition that whe [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1p9AQE-00BPfO-DA
Subject: [Openvpn-devel] [PATCH 2/9] Always start session in TM_INITIAL
 rather than TM_ACTIVE or TM_INITIAL
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1753125758347487850?=
X-GMAIL-MSGID: =?utf-8?q?1753125758347487850?=

Currently we start new session in TM_ACTIVE or TM_INITIAL depending if
we already have an active session in TM_ACTIVE or not.

With this change, all session will be started in TM_INITIAL both initiated
by a peer but also session by ourselves. This simplifies state transitions
and eliminates the wacky state transition that when we have a failed
reneogitiation (and move TM_ACTIVE to TM_LAME_DUCK) that a new session of
a peer starts in TM_ACTIVE rather than TM_INITIAL

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/mudp.c |  2 +-
 src/openvpn/ssl.c  | 99 ++++++++++++++++------------------------------
 2 files changed, 36 insertions(+), 65 deletions(-)

diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index 458152335..c27c6da5b 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -257,7 +257,7 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated)
                             && session_id_defined((&state.peer_session_id)))
                         {
                             mi->context.c2.tls_multi->n_sessions++;
-                            struct tls_session *session = &mi->context.c2.tls_multi->session[TM_ACTIVE];
+                            struct tls_session *session = &mi->context.c2.tls_multi->session[TM_INITIAL];
                             session_skip_to_pre_start(session, &state, &m->top.c2.from);
                         }
                     }
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index a5fb4fd22..b1dc80c40 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1327,11 +1327,7 @@ tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
     /* initialize the active and untrusted sessions */
 
     tls_session_init(multi, &multi->session[TM_ACTIVE]);
-
-    if (!multi->opt.single_session)
-    {
-        tls_session_init(multi, &multi->session[TM_INITIAL]);
-    }
+    tls_session_init(multi, &multi->session[TM_INITIAL]);
 }
 
 /*
@@ -3173,8 +3169,11 @@ tls_multi_process(struct tls_multi *multi,
         struct key_state *ks = &session->key[KS_PRIMARY];
         struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
 
-        /* set initial remote address */
-        if (i == TM_ACTIVE && ks->state == S_INITIAL
+        /* set initial remote address. This triggers connecting with that
+         * session. So we only do that if the TM_ACTIVE session is not
+         * established */
+        if (i == TM_INITIAL && ks->state == S_INITIAL
+            && get_primary_key(multi)->state <= S_INITIAL
             && link_socket_actual_defined(&to_link_socket_info->lsa->actual))
         {
             ks->remote_addr = to_link_socket_info->lsa->actual;
@@ -3221,13 +3220,14 @@ tls_multi_process(struct tls_multi *multi,
             {
                 ++multi->n_soft_errors;
 
-                if (i == TM_ACTIVE)
+                if (i == TM_ACTIVE
+                    || (i == TM_INITIAL && get_primary_key(multi)->state < S_ACTIVE))
                 {
                     error = true;
                 }
 
                 if (i == TM_ACTIVE
-                    && ks_lame->state >= S_ACTIVE
+                    && ks_lame->state >= S_GENERATED_KEYS
                     && !multi->opt.single_session)
                 {
                     move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
@@ -3302,7 +3302,9 @@ tls_multi_process(struct tls_multi *multi,
     if (TLS_AUTHENTICATED(multi, &multi->session[TM_INITIAL].key[KS_PRIMARY]))
     {
         move_session(multi, TM_ACTIVE, TM_INITIAL, true);
-        msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted",
+        tas = tls_authentication_status(multi);
+        msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: initial untrusted "
+            "session promoted to %strusted",
             tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
 
         if (multi->multi_state == CAS_CONNECT_DONE)
@@ -3633,55 +3635,8 @@ tls_pre_decrypt(struct tls_multi *multi,
 
     /*
      * Hard reset and session id does not match any session in
-     * multi->session: Possible initial packet
-     */
-    if (i == TM_SIZE && is_hard_reset_method2(op))
-    {
-        struct tls_session *session = &multi->session[TM_ACTIVE];
-        const struct key_state *ks = get_primary_key(multi);
-
-        /*
-         * If we have no session currently in progress, the initial packet will
-         * open a new session in TM_ACTIVE rather than TM_UNTRUSTED.
-         */
-        if (!session_id_defined(&ks->session_id_remote))
-        {
-            if (multi->opt.single_session && multi->n_sessions)
-            {
-                msg(D_TLS_ERRORS,
-                    "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]",
-                    print_link_socket_actual(from, &gc));
-                goto error;
-            }
-
-#ifdef ENABLE_MANAGEMENT
-            if (management)
-            {
-                management_set_state(management,
-                                     OPENVPN_STATE_AUTH,
-                                     NULL,
-                                     NULL,
-                                     NULL,
-                                     NULL,
-                                     NULL);
-            }
-#endif
-
-            msg(D_TLS_DEBUG_LOW,
-                "TLS: Initial packet from %s, sid=%s",
-                print_link_socket_actual(from, &gc),
-                session_id_print(&sid, &gc));
-
-            do_burst = true;
-            new_link = true;
-            i = TM_ACTIVE;
-            session->untrusted_addr = *from;
-        }
-    }
-
-    /*
-     * If we detected new session in the last if block, variable i has
-     * changed to TM_ACTIVE, so check the condition again.
+     * multi->session: Possible initial packet. New sessions always start
+     * as TM_INITIAL
      */
     if (i == TM_SIZE && is_hard_reset_method2(op))
     {
@@ -3689,16 +3644,17 @@ tls_pre_decrypt(struct tls_multi *multi,
          * No match with existing sessions,
          * probably a new session.
          */
-        struct tls_session *session = &multi->session[TM_UNTRUSTED];
+        struct tls_session *session = &multi->session[TM_INITIAL];
 
         /*
          * If --single-session, don't allow any hard-reset connection request
          * unless it the first packet of the session.
          */
-        if (multi->opt.single_session)
+        if (multi->opt.single_session && multi->n_sessions)
         {
             msg(D_TLS_ERRORS,
-                "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]",
+                "TLS Error: Cannot accept new session request from %s due "
+                "to session context expire or --single-session",
                 print_link_socket_actual(from, &gc));
             goto error;
         }
@@ -3709,6 +3665,19 @@ tls_pre_decrypt(struct tls_multi *multi,
             goto error;
         }
 
+#ifdef ENABLE_MANAGEMENT
+        if (management)
+        {
+            management_set_state(management,
+                                 OPENVPN_STATE_AUTH,
+                                 NULL,
+                                 NULL,
+                                 NULL,
+                                 NULL,
+                                 NULL);
+        }
+#endif
+
         /*
          * New session-initiating control packet is authenticated at this point,
          * assuming that the --tls-auth command line option was used.
@@ -3716,9 +3685,11 @@ tls_pre_decrypt(struct tls_multi *multi,
          * Without --tls-auth, we leave authentication entirely up to TLS.
          */
         msg(D_TLS_DEBUG_LOW,
-            "TLS: new session incoming connection from %s",
-            print_link_socket_actual(from, &gc));
+            "TLS: Initial packet from %s, sid=%s",
+            print_link_socket_actual(from, &gc),
+            session_id_print(&sid, &gc));
 
+        do_burst = true;
         new_link = true;
         i = TM_INITIAL;
         session->untrusted_addr = *from;

From patchwork Sat Dec 24 19:42:47 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2942
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133877dyk;
        Sat, 24 Dec 2022 11:43:58 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXuEbXaBQvpaszA+M6iWYtfVlQpRU4EGwwR7inKhk7rQeVIBXStuw+OZ9+zrUjI5Zkhs8DPh
X-Received: by 2002:a17:902:ff0f:b0:186:b88c:2c5e with SMTP id
 f15-20020a170902ff0f00b00186b88c2c5emr17005379plj.4.1671911038755;
        Sat, 24 Dec 2022 11:43:58 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671911038; cv=none;
        d=google.com; s=arc-20160816;
        b=zg5L3l5LZXSHaHMe3uLXfKFhx8PzWVxArhJB7zDBNjzOYECcWKokqQ0AA99Dmc/o5M
         zIAVgKnZJ3jrIwedTWS0kwOGzelA26XuNLR4dfgcEcL4vc5a0aZ19z+BHIk+/TKbugHV
         eaS8p9bnpzUE0pQt8+7olTD7vlOZ1mvvCI46/eWEHGCPVHPWc+j2bD/Qhthy+nxfryQz
         BccZX7WMN3hWyRxz6tVm7HICJo/Y7fKVWadGwDhY9EvKeHoOC1yyKh1EMiUBFJNBKOqv
         7GTJSABd+JUbEw8+OYC39/9Cog2xRc867VnMUZipFWb8RlHUCyhJT3ThS/X06xjYkf1W
         UK1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=qd8ElWy/pej+PS6G2edJju0ppY3Q4d0QjtcTdlr3nbA=;
        b=YJIoGa8jTJvJ03yCOFBWxrtWYwi+m0ygQzUjBu8f+joBGeSNcVno8n4nbUICk5v5Ll
         GXhiTGp0DwaE97gCMiQZfyIzJn7wD1Enj9qbOHQPNsjIsNenl11n9c4xCy3z/kI4zr/X
         4JJVChhHEMU4aIyY8felNDVoEM0iKbVK0XomdUHND387OrSAWqJADfNjhTBsfzd+dh2S
         5kgPjle1t5hqwuNxhvsfo5ssm2Q4VyoVsVLkb9yuNKq246uIpBIei6MJCMkalfFvA246
         rbp8ZRxzlfmuJn3LRQJJuSXFspcUcpoNsRDg/UpfEu3W0xkGUf7u0YUs68iVIxG4GZCh
         63cw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=PKE6kx1H;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="K6/sLikU";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 d3-20020a170903230300b0018862b71d11si7066703plh.381.2022.12.24.11.43.58
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 24 Dec 2022 11:43:58 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=PKE6kx1H;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="K6/sLikU";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p9AQJ-0003YA-0Q;
	Sat, 24 Dec 2022 19:43:11 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQC-0003Xl-Rw
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:04 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=DRtnFvJG6Th1zByGOkUEQJS02PKb168Ths5+cnOUl3M=; b=PKE6kx1HZ/QKhAM/MR8jvYQn5Q
 /eBia68oRfiaqpAQDtVaHLblv7Eia3Tsqhq90n5Ci0H1Im9cb8gJmzV/SW/cegzK0LuLLZ/YwAo0U
 WAdhLW5nDjuqdB2a67hYQbnPFRohpQLUDQ5pS//WmQev1LavcUNqhLXHmy/4HDeG2HbU=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=DRtnFvJG6Th1zByGOkUEQJS02PKb168Ths5+cnOUl3M=; b=K6/sLikUDjVFDP46zDtyRjIvjs
 xO5O8FlqQElD8G65aFENIVCit2re3QmWRyj/MY5qxhegsrRocBTCxH7vW7iKTm8QvwfZtRcxp1Crs
 0k5N76TZKNbQUYrqM7HPStff3sfXQUGrwCQkeuJ8RxZKuXftSh/gShoLBdRPGtProYco=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p9AQA-0000xe-LD for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:04 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQ1-000H1Z-Ll
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 20:42:53 +0100
Received: (nullmailer pid 3202285 invoked by uid 10006);
 Sat, 24 Dec 2022 19:42:53 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 24 Dec 2022 20:42:47 +0100
Message-Id: <20221224194253.3202231-4-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221224194253.3202231-1-arne@rfc2549.org>
References: <20221224194253.3202231-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  this change was done in order to be able to differentiate
 when needing to use dco and when to use normal socket sendto. Since we want
 to eventually completely use the userspace sockets for sending/rec [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1p9AQA-0000xe-LD
Subject: [Openvpn-devel] [PATCH 3/9] Move dco_installed back to link_socket
 from link_socket.info.actual
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1753125789340876816?=
X-GMAIL-MSGID: =?utf-8?q?1753125789340876816?=

this change was done in order to be able to differentiate when needing to
use dco and when to use normal socket sendto. Since we want to eventually
completely use the userspace sockets for sending/receiving, we just switch
to always use UDP sendto even if the socket is already installed in the
kernel.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/dco.c     | 23 ++---------------------
 src/openvpn/forward.c | 13 +++++++------
 src/openvpn/init.c    |  2 +-
 src/openvpn/mtcp.c    |  6 +++---
 src/openvpn/socket.c  |  8 ++++----
 src/openvpn/socket.h  | 11 +++++------
 6 files changed, 22 insertions(+), 41 deletions(-)

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 993265188..2f4d0f779 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -456,22 +456,6 @@ dco_check_pull_options(int msglevel, const struct options *o)
     return true;
 }
 
-static void
-addr_set_dco_installed(struct context *c)
-{
-    /* We ensure that all addresses we currently hold have the dco_installed
-     * bit set */
-    for (int i = 0; i < KEY_SCAN_SIZE; ++i)
-    {
-        struct key_state *ks = get_key_scan(c->c2.tls_multi, i);
-        if (ks)
-        {
-            ks->remote_addr.dco_installed = true;
-        }
-    }
-    get_link_socket_info(c)->lsa->actual.dco_installed = true;
-}
-
 int
 dco_p2p_add_new_peer(struct context *c)
 {
@@ -484,8 +468,6 @@ dco_p2p_add_new_peer(struct context *c)
 
     ASSERT(ls->info.connection_established);
 
-    addr_set_dco_installed(c);
-
     struct sockaddr *remoteaddr = &ls->info.lsa->actual.dest.addr.sa;
     struct tls_multi *multi = c->c2.tls_multi;
 #ifdef TARGET_FREEBSD
@@ -505,7 +487,7 @@ dco_p2p_add_new_peer(struct context *c)
     }
 
     c->c2.tls_multi->dco_peer_id = multi->peer_id;
-    c->c2.link_socket->info.lsa->actual.dco_installed = true;
+    c->c2.link_socket->dco_installed = true;
 
     return 0;
 }
@@ -595,7 +577,6 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
         ASSERT(c->c2.link_socket_info->connection_established);
         remoteaddr = &c->c2.link_socket_info->lsa->actual.dest.addr.sa;
     }
-    addr_set_dco_installed(c);
 
     /* In server mode we need to fetch the remote addresses from the push config */
     struct in_addr vpn_ip4 = { 0 };
@@ -633,7 +614,7 @@ dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi)
         {
             msg(D_DCO|M_ERRNO, "error closing TCP socket after DCO handover");
         }
-        c->c2.link_socket->info.lsa->actual.dco_installed = true;
+        c->c2.link_socket->dco_installed = true;
         c->c2.link_socket->sd = SOCKET_UNDEFINED;
     }
 
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index c04511ee1..64c8ee6a0 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1674,9 +1674,10 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
     }
 }
 
-/* Linux DCO implementations pass the socket to the kernel and
- * disallow usage of it from userland, so (control) packets sent and
- * received by OpenVPN need to go through the DCO interface.
+/*
+ * Linux DCO implementations pass the socket to the kernel and
+ * disallow usage of it from userland for TCP, so (control) packets
+ * sent and received by OpenVPN need to go through the DCO interface.
  *
  * Windows DCO needs control packets to be sent via the normal
  * standard Overlapped I/O.
@@ -1688,10 +1689,10 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
  * in the future...) in a small inline function.
  */
 static inline bool
-should_use_dco_socket(struct link_socket_actual *actual)
+should_use_dco_socket(struct link_socket *ls)
 {
 #if defined(TARGET_LINUX)
-    return actual->dco_installed;
+    return ls->dco_installed && proto_is_tcp(ls->info.proto);
 #else
     return false;
 #endif
@@ -1770,7 +1771,7 @@ process_outgoing_link(struct context *c)
                 socks_preprocess_outgoing_link(c, &to_addr, &size_delta);
 
                 /* Send packet */
-                if (should_use_dco_socket(c->c2.to_link_addr))
+                if (should_use_dco_socket(c->c2.link_socket))
                 {
                     size = dco_do_write(&c->c1.tuntap->dco,
                                         c->c2.tls_multi->dco_peer_id,
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 409a8be2a..3380ed9e6 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3696,7 +3696,7 @@ do_close_link_socket(struct context *c)
      * closed in do_close_tun(). Set it to UNDEFINED so
      * we won't use WinSock API to close it. */
     if (tuntap_is_dco_win(c->c1.tuntap) && c->c2.link_socket
-        && c->c2.link_socket->info.lsa->actual.dco_installed)
+        && c->c2.link_socket->dco_installed)
     {
         c->c2.link_socket->sd = SOCKET_UNDEFINED;
     }
diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c
index 07da15a6d..ac06ddc64 100644
--- a/src/openvpn/mtcp.c
+++ b/src/openvpn/mtcp.c
@@ -402,7 +402,7 @@ multi_tcp_wait_lite(struct multi_context *m, struct multi_instance *mi, const in
 
     tv_clear(&c->c2.timeval); /* ZERO-TIMEOUT */
 
-    if (mi && mi->context.c2.link_socket->info.lsa->actual.dco_installed)
+    if (mi && mi->context.c2.link_socket->dco_installed)
     {
         /* If we got a socket that has been handed over to the kernel
          * we must not call the normal socket function to figure out
@@ -537,7 +537,7 @@ multi_tcp_dispatch(struct multi_context *m, struct multi_instance *mi, const int
 
         case TA_INITIAL:
             ASSERT(mi);
-            if (!mi->context.c2.link_socket->info.lsa->actual.dco_installed)
+            if (!mi->context.c2.link_socket->dco_installed)
             {
                 multi_tcp_set_global_rw_flags(m, mi);
             }
@@ -590,7 +590,7 @@ multi_tcp_post(struct multi_context *m, struct multi_instance *mi, const int act
             }
             else
             {
-                if (!c->c2.link_socket->info.lsa->actual.dco_installed)
+                if (!c->c2.link_socket->dco_installed)
                 {
                     multi_tcp_set_global_rw_flags(m, mi);
                 }
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 82787f9f2..c7ec0e06d 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -2147,7 +2147,7 @@ create_socket_dco_win(struct context *c, struct link_socket *sock,
                       get_server_poll_remaining_time(sock->server_poll_timeout),
                       signal_received);
 
-    sock->info.lsa->actual.dco_installed = true;
+    sock->dco_installed = true;
 
     if (*signal_received)
     {
@@ -3480,7 +3480,7 @@ link_socket_write_udp_posix_sendmsg(struct link_socket *sock,
 static int
 socket_get_last_error(const struct link_socket *sock)
 {
-    if (sock->info.lsa->actual.dco_installed)
+    if (sock->dco_installed)
     {
         return GetLastError();
     }
@@ -3521,7 +3521,7 @@ socket_recv_queue(struct link_socket *sock, int maxsize)
         ASSERT(ResetEvent(sock->reads.overlapped.hEvent));
         sock->reads.flags = 0;
 
-        if (sock->info.lsa->actual.dco_installed)
+        if (sock->dco_installed)
         {
             status = ReadFile((HANDLE)sock->sd, wsabuf[0].buf, wsabuf[0].len,
                               &sock->reads.size, &sock->reads.overlapped);
@@ -3626,7 +3626,7 @@ socket_send_queue(struct link_socket *sock, struct buffer *buf, const struct lin
         ASSERT(ResetEvent(sock->writes.overlapped.hEvent));
         sock->writes.flags = 0;
 
-        if (sock->info.lsa->actual.dco_installed)
+        if (sock->dco_installed)
         {
             status = WriteFile((HANDLE)sock->sd, wsabuf[0].buf, wsabuf[0].len,
                                &sock->writes.size, &sock->writes.overlapped);
diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
index 929ef8187..05c31b104 100644
--- a/src/openvpn/socket.h
+++ b/src/openvpn/socket.h
@@ -88,7 +88,6 @@ struct link_socket_actual
     /*int dummy;*/ /* add offset to force a bug if dest not explicitly dereferenced */
 
     struct openvpn_sockaddr dest;
-    bool dco_installed;
 #if ENABLE_IP_PKTINFO
     union {
 #if defined(HAVE_IN_PKTINFO) && defined(HAVE_IPI_SPEC_DST)
@@ -169,6 +168,7 @@ struct link_socket
 
     socket_descriptor_t sd;
     socket_descriptor_t ctrl_sd; /* only used for UDP over Socks */
+    bool dco_installed;
 
 #ifdef _WIN32
     struct overlapped_io reads;
@@ -1036,7 +1036,7 @@ link_socket_read_udp_win32(struct link_socket *sock,
                            struct link_socket_actual *from)
 {
     sockethandle_t sh = { .s = sock->sd };
-    if (sock->info.lsa->actual.dco_installed)
+    if (sock->dco_installed)
     {
         *from = sock->info.lsa->actual;
         sh.is_handle = true;
@@ -1058,8 +1058,7 @@ link_socket_read(struct link_socket *sock,
                  struct buffer *buf,
                  struct link_socket_actual *from)
 {
-    if (proto_is_udp(sock->info.proto)
-        || sock->info.lsa->actual.dco_installed)
+    if (proto_is_udp(sock->info.proto) || sock->dco_installed)
     /* unified UDPv4 and UDPv6, for DCO the kernel
      * will strip the length header */
     {
@@ -1102,7 +1101,7 @@ link_socket_write_win32(struct link_socket *sock,
 {
     int err = 0;
     int status = 0;
-    sockethandle_t sh = { .s = sock->sd, .is_handle = sock->info.lsa->actual.dco_installed };
+    sockethandle_t sh = { .s = sock->sd, .is_handle = sock->dco_installed };
     if (overlapped_io_active(&sock->writes))
     {
         status = sockethandle_finalize(sh, &sock->writes, NULL, NULL);
@@ -1176,7 +1175,7 @@ link_socket_write(struct link_socket *sock,
                   struct buffer *buf,
                   struct link_socket_actual *to)
 {
-    if (proto_is_udp(sock->info.proto) || to->dco_installed)
+    if (proto_is_udp(sock->info.proto) || sock->dco_installed)
     {
         /* unified UDPv4 and UDPv6 and DCO (kernel adds size header) */
         return link_socket_write_udp(sock, buf, to);

From patchwork Sat Dec 24 19:42:48 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2939
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133851dyk;
        Sat, 24 Dec 2022 11:43:56 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXtpZL58tou+iNAhRpFAgRViFkuQrm4oudi10KoEYLS+IBpTXkDW9CYaCwvvietQMaKchNVw
X-Received: by 2002:aa7:9382:0:b0:56b:da42:95c7 with SMTP id
 t2-20020aa79382000000b0056bda4295c7mr15196092pfe.30.1671911035991;
        Sat, 24 Dec 2022 11:43:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671911035; cv=none;
        d=google.com; s=arc-20160816;
        b=FiGhDUpJAlFv5+vpD84A8IebAFUjwdmvUyGA0kzJbUBT04r80MlEdkkS3l9VnEgf0j
         RheepefdNE5XKPrVYXFNdD55wNgUveUgUT3Wy1wQahwqQqYDNh3rbJyCkXmoCwWyL+dd
         HhOOzAj189IOJY2DtWdDDIrph4LLh+Qb4E7ekcEaSK2DpoSSV5hOUcYhq0GDvNwSYPuf
         ElTm6AvQSNolRyPYHV/N7j9LMk9kHf1QJYtCWxB3/NFCiFljIn2rKBLnHroqQ14GEd04
         QmBJpGzZk5ciWqJ6E9PpW7rzHxKN8ZNBrptXkxpszOv6hpM0QvDtyWzVpWBM+XTrSlFV
         fI7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=ItpvfTXAS6tYZDBS1f/KZHDXe9/u0sOHm9HhLF+5Z8U=;
        b=Tz18QSCO/mYmWT3qMA7ErWEdwVZWtnKOFQ3K3Zt+IS5EWQ878uXA3zG+U1cDxBGuG/
         8kjRs5dlnCBRnUWs7FIL9uT6haFcJQjfuGuvQyzzhJq/bH+cZAuJ3cK5YT7No2l7AC8u
         mZvCIrnFVrexKdM3shN6MTA/uekP2OGjDrzTym/LIpFPDA3iOrE+aj1YdOdeV1LYVFrM
         2NormbDIml4ghXGVDLby6ZTs8DZsk8yMIJHUGx/VnsqKASPwR7vOWw4bk9dm6+T42W3w
         5wonhBBWaOoGrq0GRN9SW84t3Cn1MzljjvS1rJRmxyuBpyVToYjEkxFVFS6zsPNeQTMN
         yDnA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=SEROSpco;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=OY2txT1m;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 bd9-20020a056a00278900b00557eeba9fa4si4651836pfb.91.2022.12.24.11.43.55
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 24 Dec 2022 11:43:55 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=SEROSpco;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=OY2txT1m;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p9AQE-0005pq-4K;
	Sat, 24 Dec 2022 19:43:06 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQC-0005pj-4R
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:04 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=565cBcpC2mPGJMkWRUChrkTHAwcVg/S5aSsSVzDpXqM=; b=SEROSpcoExLnkc7vKDI6C8N4oC
 hhfIR4HbQBv1mUaHTzjrQx8pqMKRtho86k3udRvnikdDb9Cr+hoT1i/oBZc/1AUyA6cUNgw00+coh
 HXWPwKVR5FTMGeDR2eYry3EUmq61y+H07DncxlrJPlfAh+CTeIGNrw2PqpAyOxue8cIM=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=565cBcpC2mPGJMkWRUChrkTHAwcVg/S5aSsSVzDpXqM=; b=OY2txT1mTCFKXCfJmBLlSeN76+
 R3nrNlhcF9S5fbSGkspSho92jHyEfJYKpOOYLRt2tCaBvhC1Ajk7nR9NR2F3BsbVNnKD2bU68FCPn
 zBKqOZvsXW8Xoz5AZEYuofGbysKGIH4jaWEzgwRisJDkbGiKBanPgO/zbrK+4knC/Iqw=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p9AQA-0000xd-LO for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:04 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQ1-000H1b-MT
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 20:42:53 +0100
Received: (nullmailer pid 3202288 invoked by uid 10006);
 Sat, 24 Dec 2022 19:42:53 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 24 Dec 2022 20:42:48 +0100
Message-Id: <20221224194253.3202231-5-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221224194253.3202231-1-arne@rfc2549.org>
References: <20221224194253.3202231-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  with dco sometimes we end up promoting a timeout event to
 write event or read event. For the residual read, this problem is probably
 not solvable without changing the kernel DCO API Signed-off-by: Arne Schwabe
 <arne@rfc2549.org> --- src/openvpn/forward.c | 24 src/openvpn/forward.h |
 30 ++++++++++++++++++++++++++++++ src/openvpn/mtcp.c | 14 ++++++++++++--
 [...] Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1p9AQA-0000xd-LO
Subject: [Openvpn-devel] [PATCH 4/9] Ensure we do not promote a TA_TIMEOUT
 to a TA_WRITE/TA_READ event with dco
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1753125786838292022?=
X-GMAIL-MSGID: =?utf-8?q?1753125786838292022?=

with dco sometimes we end up promoting a timeout event to write
event or read event. For the residual read, this problem is probably
not solvable without changing the kernel DCO API

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/forward.c | 24 ------------------------
 src/openvpn/forward.h | 30 ++++++++++++++++++++++++++++++
 src/openvpn/mtcp.c    | 14 ++++++++++++--
 3 files changed, 42 insertions(+), 26 deletions(-)

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 64c8ee6a0..17a14f0bd 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1674,30 +1674,6 @@ process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
     }
 }
 
-/*
- * Linux DCO implementations pass the socket to the kernel and
- * disallow usage of it from userland for TCP, so (control) packets
- * sent and received by OpenVPN need to go through the DCO interface.
- *
- * Windows DCO needs control packets to be sent via the normal
- * standard Overlapped I/O.
- *
- * FreeBSD DCO allows control packets to pass through the socket in both
- * directions.
- *
- * Hide that complexity (...especially if more platforms show up
- * in the future...) in a small inline function.
- */
-static inline bool
-should_use_dco_socket(struct link_socket *ls)
-{
-#if defined(TARGET_LINUX)
-    return ls->dco_installed && proto_is_tcp(ls->info.proto);
-#else
-    return false;
-#endif
-}
-
 /*
  * Input: c->c2.to_link
  */
diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h
index bd2d96010..e50f235da 100644
--- a/src/openvpn/forward.h
+++ b/src/openvpn/forward.h
@@ -424,4 +424,34 @@ connection_established(struct context *c)
     }
 }
 
+
+/**
+ * @param ls the link_socket the decision should be made for
+ * @return if we should use the dco kernel api or normal socket APIs for
+ *         write/send
+ *
+ *
+ * Linux DCO implementations pass the socket to the kernel and
+ * disallow usage of it from userland for TCP, so (control) packets
+ * sent and received by OpenVPN need to go through the DCO interface.
+ *
+ * Windows DCO needs control packets to be sent via the normal
+ * standard Overlapped I/O.
+ *
+ * FreeBSD DCO allows control packets to pass through the socket in both
+ * directions.
+ *
+ * Hide that complexity (...especially if more platforms show up
+ * in the future...) in a small inline function.
+ */
+static inline bool
+should_use_dco_socket(struct link_socket *ls)
+{
+#if defined(TARGET_LINUX)
+    return ls->dco_installed && proto_is_tcp(ls->info.proto);
+#else
+    return false;
+#endif
+}
+
 #endif /* FORWARD_H */
diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c
index ac06ddc64..263f4d994 100644
--- a/src/openvpn/mtcp.c
+++ b/src/openvpn/mtcp.c
@@ -407,7 +407,7 @@ multi_tcp_wait_lite(struct multi_context *m, struct multi_instance *mi, const in
         /* If we got a socket that has been handed over to the kernel
          * we must not call the normal socket function to figure out
          * if it is readable or writable */
-        /* Assert that we only have the DCO exptected flags */
+        /* Assert that we only have the DCO expected flags */
         ASSERT(action & (TA_SOCKET_READ | TA_SOCKET_WRITE));
 
         /* We are always ready! */
@@ -567,7 +567,7 @@ multi_tcp_post(struct multi_context *m, struct multi_instance *mi, const int act
     {
         flags |= MTP_TUN_OUT;
     }
-    if (LINK_OUT(c))
+    if (LINK_OUT(c) && !should_use_dco_socket(c->c2.link_socket))
     {
         flags |= MTP_LINK_OUT;
     }
@@ -586,6 +586,16 @@ multi_tcp_post(struct multi_context *m, struct multi_instance *mi, const int act
         case MTP_NONE:
             if (mi && socket_read_residual(c->c2.link_socket))
             {
+                if (should_use_dco_socket(c->c2.link_socket))
+                {
+                    struct gc_arena gc = gc_new();
+                    msg(M_INFO, "ovpn-dco installed socket with residual read "
+                        "len=%d, mi=%s. This connection will probably"
+                        " break.",  BLEN(&c->c2.link_socket->stream_buf.residual),
+                        multi_instance_string(mi, false, &gc));
+                    gc_free(&gc);
+                    break;
+                }
                 newaction = TA_SOCKET_READ_RESIDUAL;
             }
             else

From patchwork Sat Dec 24 19:42:49 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2934
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133662dyk;
        Sat, 24 Dec 2022 11:43:29 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXuqW7BiBybRylbhnlbPI5+9Xb6yGVmZBSQBD4FMbk6dMmKfmn7aM5h+802OWIA1Aaxi9dl8
X-Received: by 2002:a17:902:f78e:b0:186:a43b:a5 with SMTP id
 q14-20020a170902f78e00b00186a43b00a5mr16765938pln.13.1671911008921;
        Sat, 24 Dec 2022 11:43:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671911008; cv=none;
        d=google.com; s=arc-20160816;
        b=uPUMT4Lfpmcy4PMWfTuCdpjY0PDk++xZqH5UVT0Az8IcVa7o8N41xT+26kagpwpBSl
         SbN5ZIrhX4GeU0QgeEspjja5tPCCJdbFxjRhEH+sQZIl1e4DoySg9/v6X86VHtgjKEJb
         6BOyU7dVVWW1XsiMt1+bmr1HUxZ44zdRnYUQ4BAbMX90fqWzAdMDJefcSRq0Lj0xqG3r
         nnUVMOUhDMmQnP5cB0ITT+zLdKdgfyhiDjNO27kGKkj54/fZaw76OoFMWxgfN9FfnWIt
         752zsEvHTExuMJGlcdu116l029ikX1GjuhOoUyNS2gOLV+sdTo09+0V2AtcGMeEcRcA3
         hg5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=8nHX94vdAhWn6cd9yuIiMGYnw3cqjNszLBcs/AfdcJE=;
        b=grc7IAtPEn+OrKVxA3FsbmbHglyl29tz7LCmaxNktpYfwmbQe89d4hXHlittOntQlL
         7QLO87cbdcRkyQWGzvjEF8UxzpdRqNvvR5tXIrGqRrFGKuMeJLwIuxLA/Xsl2LSRpt4B
         pQiMUuLaFskqSrQDZ3p8WkQesZ0qmCtdhCXTUlAnLxXCd55xyyM+SLpX1JGrGrhyxou3
         SDxmMzJamlq9LEhu1kmB89s1tYp8WKbUiknRMnW5LA4rlf7BXZv/609aPHC1cdLasgxd
         oKEcaSaxalKLmwOGWo9FE8KuqbFP9HtPPGnUZmxADZTwhUco7mT/H3hADUWJG9GxMPL8
         7msQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=VEnuhNoz;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Q1MHvtMr;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 x21-20020a17090300d500b001868a25da0dsi6203730plc.40.2022.12.24.11.43.28
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 24 Dec 2022 11:43:28 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=VEnuhNoz;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Q1MHvtMr;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p9AQJ-0003YL-B6;
	Sat, 24 Dec 2022 19:43:11 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQE-0003Xs-UZ
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:06 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=luCr8O6/7uRwW5lWyV2TtitctJUVe6ibsEBpWDTmr7Y=; b=VEnuhNoz5zjpEp7ezMob8sDaCz
 /J3OBPlqt6uCPhdwTTPNKm8+DA+doIRJtJOlqX5dwXrw2WYFugQVc+kvyDteFH17tGC8OzWckiPzx
 wnE5qaqyIHk1sUXBV8zndgk4hZ5+TmfSnkcdOiTmGa+5B+fxZk5Tuo0Ru8S45MoDORdk=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=luCr8O6/7uRwW5lWyV2TtitctJUVe6ibsEBpWDTmr7Y=; b=Q1MHvtMrQfFF+uwZxTA2uRmPpy
 uds+KC9aXfTmNF67EvKiZu7+dSqOZNyWWFh4P/f/2/lirK8qSJX6a/0y8PNcOu8mtoeFV2eTILYso
 ytJfU2Jn6sBa8rWkxxKupz/TrNDF2PiyQ/Gs23yE1i/vpDmjAHFrvtIcAELldyGaaEHQ=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p9AQE-00BPfL-E1 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:06 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQ1-000H1d-N9
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 20:42:53 +0100
Received: (nullmailer pid 3202291 invoked by uid 10006);
 Sat, 24 Dec 2022 19:42:53 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 24 Dec 2022 20:42:49 +0100
Message-Id: <20221224194253.3202231-6-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221224194253.3202231-1-arne@rfc2549.org>
References: <20221224194253.3202231-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: If we get a message from a mismatched packet we need to
 clear
 the incoming message buffer to ensure we can receive another packet.
 Signed-off-by:
 Arne Schwabe <arne@rfc2549.org> --- src/openvpn/forward.c | 2 ++
 src/openvpn/multi.c | 2 ++ 2 files changed, 4 insertions(+)
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1p9AQE-00BPfL-E1
Subject: [Openvpn-devel] [PATCH 5/9] Also drop incoming dco packet content
 when dropping the packet
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1753125758129982384?=
X-GMAIL-MSGID: =?utf-8?q?1753125758129982384?=

If we get a message from a mismatched packet we need to clear
the incoming message buffer to ensure we can receive another
packet.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/forward.c | 2 ++
 src/openvpn/multi.c   | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 17a14f0bd..61caf1146 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1194,6 +1194,8 @@ process_incoming_dco(struct context *c)
         msg(D_DCO_DEBUG, "%s: received message for mismatching peer-id %d, "
             "expected %d", __func__, dco->dco_message_peer_id,
             c->c2.tls_multi->dco_peer_id);
+        /* ensure we also drop a message if there is one in the buffer */
+        buf_init(&dco->dco_packet_in, 0);
         return;
     }
 
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index fcb308151..9a20112e2 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3276,6 +3276,8 @@ multi_process_incoming_dco(struct multi_context *m)
     else
     {
         msg(D_DCO, "Received packet for peer-id unknown to OpenVPN: %d", peer_id);
+        /* Also clear the buffer if this was incoming packet for a dropped peer */
+        buf_init(&dco->dco_packet_in, 0);
     }
 
     dco->dco_message_type = 0;

From patchwork Sat Dec 24 19:42:50 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2940
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133859dyk;
        Sat, 24 Dec 2022 11:43:56 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXtV3zMA5nLHe3BdIom6MtX090sWY16Ll6Xp08Qp6pZdyMs5Y+lJU/YAW6bqUUCE30abmaey
X-Received: by 2002:a17:90a:d0c5:b0:219:ba3d:7ee2 with SMTP id
 y5-20020a17090ad0c500b00219ba3d7ee2mr16859765pjw.30.1671911036607;
        Sat, 24 Dec 2022 11:43:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671911036; cv=none;
        d=google.com; s=arc-20160816;
        b=aI165jq6mhyLAgdG6Fd6ptxf5vUp16CwuP61VosiethAc4mHVpHAjAENjNksZzcdD7
         tSHIAqdCQl3m8s6OPO9KQdoBFxXBdKtJpcGSz5NU/LdB3xYN4f5o4j8+BYi+l+pWgaNB
         OPbFUbmXMwojybdkBlmtJVePxnnkzZCeanMn1RpmUk9dCh0yn1CYiFGp6zY61IMVEqxR
         ztLPOLlyQqX08ZB1/Q7U9zTIFg6kXOlwj3nQLPTHtB38UjhOHqr2lAX+UPQRaztg9FgW
         oTNYz2Yxl32Fvp7tOhY4M2FF2ccj92VBNSMtffDAjUv9PDJWIUkBuIgYO+6wy/Cik+EU
         UtTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=rnt4cS0VX4757M/SBNd8vqLNHKK0Xnzo63qxq6sjarA=;
        b=gfzKCz5OtWdUzecek+pVAVzJBJl1gJwgwLlcZ1jNuFBgavBGL1gblNqXz3pSAChACL
         1r04SDmx4Jp0bJrumFCIKDClH7JpDl3CoA+5kBMM3F7ozE7NPcViXRqz5ywpMg8XWDp3
         37UZMv+Cfpf5oPlw1KH6BQGnYiMSTzTJIweeluBWl3uqozjSL5GmnP4jZ/wU6IHTzszV
         R5pCFfVNF8rN1Opic/TUea/+3gZV+7ICgG30fNN+t+vtF0XbfmJ+F84EWz50STf2f0gC
         NRhGyLw6+lP54206iehJae6b3pUog0S091AU+kAH1zLKo4UC2/2iHAMdmt3Yctmuu+p/
         7sIA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=Dpny4hjK;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="JYP71h6/";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 oc8-20020a17090b1c0800b00202c850b5a8si12177024pjb.11.2022.12.24.11.43.56
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 24 Dec 2022 11:43:56 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=Dpny4hjK;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b="JYP71h6/";
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p9AQL-0005qQ-Pp;
	Sat, 24 Dec 2022 19:43:13 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQF-0005q3-8n
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:07 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=79C34HfRB9kYctsqIuIIiKwBq1k/q73i5AvQWs32PJo=; b=Dpny4hjKxIDiIYT3FDTaYKvATA
 lHDCqnD51K9kl4hcfSZy4L3d4GCuZWPD7gCyt56wjTSYcjmb55kLokmSLTwkBe6IMiJe79uSwJi1m
 KR/KwrRPGSGJBJ2QoWdttClMElumZIMBadyv+0HNLwz2kdQGfjouBLZKviyZQq6bhmeU=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=79C34HfRB9kYctsqIuIIiKwBq1k/q73i5AvQWs32PJo=; b=JYP71h6/imNVFN44pdm+7Utmgr
 3hnXjR3tW1Lg1blBwnx6l1PgMvtRXjFzfQhNwbdmP45/9RhcIQ1CR92OiKt5Z16nnFkM1s9I9SDY5
 +1a1XhFVteocZ3yd7e8SJ0jQ2xiJ7JWUTkvRBgWZunFtrUq3X+lsVlCJIXt7XR4PdUb0=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p9AQE-00BPfM-E7 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:07 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQ1-000H1f-Nv
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 20:42:53 +0100
Received: (nullmailer pid 3202293 invoked by uid 10006);
 Sat, 24 Dec 2022 19:42:53 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 24 Dec 2022 20:42:50 +0100
Message-Id: <20221224194253.3202231-7-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221224194253.3202231-1-arne@rfc2549.org>
References: <20221224194253.3202231-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: libnl increases the sizes we pass to 8192 anyway. Currently
 when we have a lot of events queued we might run into a NLE_NOMEM message
 and that terminates the server. So rather let the kernel decide th [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1p9AQE-00BPfM-E7
Subject: [Openvpn-devel] [PATCH 6/9] Do not set nl socket buffer size
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1753125787145435801?=
X-GMAIL-MSGID: =?utf-8?q?1753125787145435801?=

libnl increases the sizes we pass to 8192 anyway. Currently when we have
a lot of events queued we might run into a NLE_NOMEM message and that
terminates the server. So rather let the kernel decide the buffer sizes.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/dco_linux.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 222537fc1..d4bca555d 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -348,9 +348,6 @@ ovpn_dco_init_netlink(dco_context_t *dco)
         msg(M_ERR, "Cannot create netlink socket");
     }
 
-    /* TODO: Why are we setting this buffer size? */
-    nl_socket_set_buffer_size(dco->nl_sock, 8192, 8192);
-
     int ret = genl_connect(dco->nl_sock);
     if (ret)
     {

From patchwork Sat Dec 24 19:42:51 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2936
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133664dyk;
        Sat, 24 Dec 2022 11:43:29 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXsbecBiQ+bJfFqJi6uhkoFmg8HfYQJXKC3xS1D2bJ5Fl370oYn+HKzdrd1iqsnttwk5pxUf
X-Received: by 2002:a17:902:fe0c:b0:192:5c3e:8939 with SMTP id
 g12-20020a170902fe0c00b001925c3e8939mr8154070plj.0.1671911008944;
        Sat, 24 Dec 2022 11:43:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671911008; cv=none;
        d=google.com; s=arc-20160816;
        b=jtSTQPv2ZiYk7NySxdG5PusFoNtf18oT5MwzpDgpf78hr6nIwljdr4b9mB+LbyXGZO
         NgEsexkzaI9i3CH/F3lSiIJnl3a3eof/TuqFw9SwsTQNtzY8dzwD23tBaRn4Bq7yKCwK
         HffQB4AAx5n1pgpc4ZmrTJ2qK5H4dqywScIoPE8Gi+EqSv6SDsPnzv8NX4FMPNex+UuT
         XbPBqt/K0MdgqCvLfZhiiqiOYP+66St6jLRfXJKfeeU5468A4IIaEsflxEcCWgfQ4XlT
         MAk5zAvzKaNoJYrzn348gOZoBCMfXL/7D98srWKS1Ifgx9l9ijojtffDQzBW79IHGMB2
         181A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=hj4fkBlJhOlb8hWYmOke4IP4kyJ/zatla7bb9tnAExg=;
        b=KxU5zYy2K1OB/qKRnNUj9CG/c3j3qNS/BMHd68llf+IE6oIO4srpE/cgt4cYd8V7PY
         S/1beD38wc1RXoZQNXRp3py+K+2wL/lKFlz0AiC8dypbjBsBiY2TmV+oAkmWmtXx9hkf
         ubY6hASx1rGD/P7YQShf+N9Ou/t37FfT+7Zjs8IkEe4/0A8ESaPnfhIOLdiUVoFlwuwC
         K0Dis4lVQ2s3Ig5HloHU0pz9wxm+NoII0YiOD68rm/ZYEOul1YucfWCE7JzyOBrlcTGs
         kVdh2Nu9uF+xnx2JEfxMWAUutEGP9HvZ/B+gyYv/RLNT+8u+JAOqup2WjwuoBeHtyaM4
         yWSQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=WA0hGERD;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Ll7RmxdY;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 o13-20020a170902d4cd00b0017a50d7258dsi7664732plg.97.2022.12.24.11.43.28
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 24 Dec 2022 11:43:28 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=WA0hGERD;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Ll7RmxdY;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p9AQI-0003Y3-LR;
	Sat, 24 Dec 2022 19:43:10 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQC-0003Xf-3M
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:04 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=0p4WAjcI0uUvjtR/qsaNaQBcs6/6u+w8TWKOYJDu3Xg=; b=WA0hGERDzu8toHwtvTTkvh9R/u
 NJf90GNDM1LvtXz+2opdp2Fg3up2MKMXrjDgBMYSkJtFeWo+lpip7r3+KGzd/ANqjZRni2OOFdnXB
 5LFrZnp02uyOPZbTZ4nBySikObsK7RjardyvM+t03l/2fk87l/m3TGVtwqBYq9ilr11k=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=0p4WAjcI0uUvjtR/qsaNaQBcs6/6u+w8TWKOYJDu3Xg=; b=Ll7RmxdYF+2SVml9evLTJ05rNi
 7rr+rYk1KQoGPfp3BMTlCb8XpWXT+gdlpXyHb9sjmU0DfaNKWpcfh1fUOEQ3Qo3YsPgcnxwtQvKxM
 hQPm8MPzHsL/aaV+BzhC8XNuMVwn0CEpGyJNaRri5yzt9d6JkErKXGDrKf3fH4iRb1ME=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p9AQA-0000xf-Lr for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:04 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQ1-000H1h-Oh
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 20:42:53 +0100
Received: (nullmailer pid 3202296 invoked by uid 10006);
 Sat, 24 Dec 2022 19:42:53 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 24 Dec 2022 20:42:51 +0100
Message-Id: <20221224194253.3202231-8-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221224194253.3202231-1-arne@rfc2549.org>
References: <20221224194253.3202231-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Instead of getting the server in a very weird state,
 we bail
 out here. This is only a bandaid solution but better than the alternatives.
 Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/mtcp.c | 2
 +- src/openvpn/multi.c | 10 +++++++++- 2 files changed, 10 insertions(+),
 2 deletions(-)
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1p9AQA-0000xf-Lr
Subject: [Openvpn-devel] [PATCH 7/9] Bail out when trying to install a TCP
 socket with residual data to DCO
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1753125758102487788?=
X-GMAIL-MSGID: =?utf-8?q?1753125758102487788?=

Instead of getting the server in a very weird state, we bail out here. This
is only a bandaid solution but better than the alternatives.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/mtcp.c  |  2 +-
 src/openvpn/multi.c | 10 +++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c
index 263f4d994..3837ccbab 100644
--- a/src/openvpn/mtcp.c
+++ b/src/openvpn/mtcp.c
@@ -591,7 +591,7 @@ multi_tcp_post(struct multi_context *m, struct multi_instance *mi, const int act
                     struct gc_arena gc = gc_new();
                     msg(M_INFO, "ovpn-dco installed socket with residual read "
                         "len=%d, mi=%s. This connection will probably"
-                        " break.",  BLEN(&c->c2.link_socket->stream_buf.residual),
+                        " break.",  BLEN(&c->c2.link_socket->stream_buf.buf),
                         multi_instance_string(mi, false, &gc));
                     gc_free(&gc);
                     break;
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 9a20112e2..d29b7efe3 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2316,9 +2316,17 @@ multi_client_setup_dco_initial(struct multi_context *m,
 {
     if (!dco_enabled(&mi->context.options))
     {
-        /* DCO not enabled, nothing to do, return sucess */
+        /* DCO not enabled, nothing to do, return success */
         return true;
     }
+
+    if (socket_read_residual(mi->context.c2.link_socket))
+    {
+        msg(M_INFO, "TCP socket with half read packet. Cannot install to "
+            "DCO: %s",  multi_instance_string(mi, false, gc));
+        return false;
+    }
+
     int ret = dco_multi_add_new_peer(m, mi);
     if (ret < 0)
     {

From patchwork Sat Dec 24 19:42:52 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2937
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133667dyk;
        Sat, 24 Dec 2022 11:43:29 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXssYMMegX4P3KtUg03Pjd58r9VhMy2C+dBowdp7xItcqh3sxBHaLyFHIiE+xDURwRbtkJOE
X-Received: by 2002:a05:6a20:c709:b0:9d:efbe:2078 with SMTP id
 hi9-20020a056a20c70900b0009defbe2078mr18244497pzb.46.1671911009046;
        Sat, 24 Dec 2022 11:43:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671911009; cv=none;
        d=google.com; s=arc-20160816;
        b=Vi8+vA6/3wzGJDlvdqtPYaJMMtiWGix7XVKdi8lPv7z0srE2mhGWgk0elUUSimJ9jV
         s4GPQVonT+XVA7xqDIfcn3rRKhWVzWNSAk4+Tjh3siSOwzCoOPQZkER6mwQL44ECmb8i
         N3MolWjkNA1e1WgISIoSbMKKMih0Ha8R4H75dBp7McEeZHLYLmkESb/xk9iD1uL4mWZB
         ntGvk81O15fWm8rBHf88QLrf4NvQMa28tpPg8TW91ehSLWBZjqXAGAh1U9DO61FiVmTL
         i6ynq1bfyNuXNjQKl5svuFWhdJ+f0jr/VK1Y76rV4AfCwbJg+OyTDhatpHwgOq91FKrf
         WxEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=5iHa4H0tF4LLrtb1g9QMQRFyRBkNYC8n0ogFZsXSIuA=;
        b=J3mSfOaYAcNjQKv6BYuVXGcBUR1swue9wNTJq7qpQc/tT26CwHSpreIUC2Ebqza3ty
         hJCFLWicEgsR/nuUKR+wqnq1zj/TeDVEQ4hkFECaUbxY4MEvoZS+ZS3xRbXk/qHlpKoL
         6ihva5kSBnSsqc4vMnTbDj9qFnTLtgnHtI7fui4XD+clao05hXUOT3pJQ7SzR54Xx/Df
         a3tR8gKvrO+qfSraz3gJE4txlT6CxQ9iyKiRDoBBngpc5kBsPxeN9JSXioh6Nk2n9vqR
         pe5UodHfrOaUNFZVTnafzccgVqTS32LyVkl+VsLmUjvwafdGkBtAgbkL7fFUolh0z4sw
         mUAQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=hhmqgmlR;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=gEZ4Edn6;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 19-20020a631753000000b00477c3c222b6si7214396pgx.685.2022.12.24.11.43.28
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 24 Dec 2022 11:43:29 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=hhmqgmlR;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=gEZ4Edn6;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p9AQL-0005qH-FN;
	Sat, 24 Dec 2022 19:43:13 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQE-0005pv-Sa
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:06 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=pUDsrAmcV5xakq+J2MemNl23qXgfOAlJU36SH4tlSg4=; b=hhmqgmlRHCE766SNTIfi7GhO4n
 vcwTVlJoCLfF2y1XyIpxj/bNjNUQBAczqNzjjJvaGQDob3ao+V43ZH35qaqvXL0ZHE1Jegxv9iLor
 vmlAg876SNG5WeNwflmVKHzHNGyzzTKuN+CoUKkqc6K+zTr9pMDfaEVAK0x9M0pSoY2I=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=pUDsrAmcV5xakq+J2MemNl23qXgfOAlJU36SH4tlSg4=; b=gEZ4Edn6OO3F8ErJN9eO7J4jIH
 B741oZpSQae1A/srElZbScEsdHu2zW7At8g3hFL+7VFLu8IOt7mXvIoZj0dLN8rGhNMn0miqU7XQF
 +AH018FBBT+CTnkDCaRnlcqZd/JMnaCtep+lC4UYQhJmK7wlg2+xGThANfnlUAamt+sc=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p9AQE-00BPfP-E2 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:06 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQ1-000H1l-QQ
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 20:42:53 +0100
Received: (nullmailer pid 3202299 invoked by uid 10006);
 Sat, 24 Dec 2022 19:42:53 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 24 Dec 2022 20:42:52 +0100
Message-Id: <20221224194253.3202231-9-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221224194253.3202231-1-arne@rfc2549.org>
References: <20221224194253.3202231-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Signed-off-by: Arne Schwabe <arne@rfc2549.org> ---
 src/openvpn/multi.c
 | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git
 a/src/openvpn/multi.c b/src/openvpn/multi.c index d29b7efe3..6c6385c6e 100644
 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3283,7 +3283,17 @@
 multi_process_incoming_dco(struct mu [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1p9AQE-00BPfP-E2
Subject: [Openvpn-devel] [PATCH 8/9] Improve logging when seeing a message
 for an unkown peer
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1753125758385162691?=
X-GMAIL-MSGID: =?utf-8?q?1753125758385162691?=

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/multi.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index d29b7efe3..6c6385c6e 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3283,7 +3283,17 @@ multi_process_incoming_dco(struct multi_context *m)
     }
     else
     {
-        msg(D_DCO, "Received packet for peer-id unknown to OpenVPN: %d", peer_id);
+        int msglevel = D_DCO;
+        if (dco->dco_message_type == OVPN_CMD_DEL_PEER
+            && dco->dco_del_peer_reason == OVPN_DEL_PEER_REASON_USERSPACE)
+        {
+            /* we get notified after we kill the peer ourselves and probably
+             * have already forgotten about it. This is expected */
+            msglevel = D_DCO_DEBUG;
+        }
+        msg(msglevel, "Received packet for peer-id unknown to OpenVPN: %d, "
+            "type %d, reason %d", peer_id, dco->dco_message_type,
+            dco->dco_del_peer_reason);
         /* Also clear the buffer if this was incoming packet for a dropped peer */
         buf_init(&dco->dco_packet_in, 0);
     }

From patchwork Sat Dec 24 19:42:53 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2935
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:c95:b0:82:e4b3:40a0 with SMTP id p21csp1133663dyk;
        Sat, 24 Dec 2022 11:43:29 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXvIPBp0pHxpJ4UZIXMunZ/TXD5PTWQ8H+gayiDrkLha3N+Csf9wUFHQ3RHmShE+7EVJVmhX
X-Received: by 2002:a17:903:230a:b0:189:d3d9:9308 with SMTP id
 d10-20020a170903230a00b00189d3d99308mr20055929plh.34.1671911008970;
        Sat, 24 Dec 2022 11:43:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671911008; cv=none;
        d=google.com; s=arc-20160816;
        b=b7sWcWw1fxMNVoDbR90mmwCnDVYcP/E/mmdSKNQtwIgFGXmpgB8OE6J7HuyhRnnRQD
         tPESL40W/6L30IQLUke8qHoLOA38s/VxsKKbQdpow1zQ8bgAaS23Ts3d/tWLJug2lx1G
         7CV66eozlzEnSFbe3SqoaqFT7/Gcx7rYnqAiws8mGuURSuDTLNln57dWLkODM5jTF4oZ
         gAAMIsHqgglOvEG6EezQgkIXihKzIpHjgn9CtCBQLKzectMx4lYvJEamJeO+U8227Un3
         4BvUiprke5YGnGKrPXcN8Ptm+nm2v5mRZvX2HXBPdSjMg/DWpxwpnFmaXQVZpwdMtA0p
         FThA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=GGLFa5xYp3s71Tuf9ImLCr/eL91rAEHq99RWyHMK6g4=;
        b=w6GDwpbMTsTVotyuxJ3tMsfvc9ELWAxGkk7S1JcePuPZZq/gT8nmwMpSOEhIfi4vP8
         GkfjV6DhZPIl+wO2B30v5nHBKRGwZMB76ObdXGvHDhpM+VNyUEVPQa80b77ixOaEWIUW
         DO3+ZhFOVZEbJe95VRfYuiPTRWZ+INBgLLEXGzY8YfkiVm8MR8ElXePeC9Xa4psSVR7R
         UxO0xWq4Z2tf6p7shXJ54VWomv0PzOmF9BQlLHqAKRsEspy2ARQG1WEdtuJ9zUmpFKmD
         mFWkDsMveiAia5refZTqj1Rb/l02AfkYlKg8JPIlKD+92NvlThaYJJh8d+TrWCvPp/Se
         jRpA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=MGMoi2cW;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=lXTk3CDp;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 u17-20020a17090341d100b00189c9f86942si7545984ple.379.2022.12.24.11.43.28
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 24 Dec 2022 11:43:28 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=MGMoi2cW;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=lXTk3CDp;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p9AQF-0000Bq-Q3;
	Sat, 24 Dec 2022 19:43:07 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQC-0000BR-3H
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:04 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=y8GC3ytceYbrKlcpgckwJNE2hCyGRtNvPZyOS/sjcEg=; b=MGMoi2cW8qjmyepcFrDpFQCZua
 Ysi0TvTku4iLlYoGrYg8jeDcsD3QD6d5skaMu6TGqsmJMP3UfWzEa9fajwr3+3fitaxeeFRvTs9YB
 3c2yfVFw81LCkoLK3d1v8wr+97y/7z2UI66BucT8t6Jq15fEc6Bo2/Qqvi8kA7qBUaq4=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=y8GC3ytceYbrKlcpgckwJNE2hCyGRtNvPZyOS/sjcEg=; b=lXTk3CDp3CtvqS1dcCx9ptjA5A
 oHlsX+t+UQ4ytrX1M1xMFN28Yctn5Pas8WpGDAZYD5EIlPM4GCaen8lfwVHo2GNYXSxfnmoRb7ufp
 630MjP1trNRaaH6zC2yZAUftqFp4aVDJxhsTfWumUa/f9PvBlo+gbiGXcEdwKIUdbduU=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p9AQA-0000xg-Mk for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 19:43:03 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1p9AQ1-000H1j-PV
 for openvpn-devel@lists.sourceforge.net;
 Sat, 24 Dec 2022 20:42:53 +0100
Received: (nullmailer pid 3202302 invoked by uid 10006);
 Sat, 24 Dec 2022 19:42:53 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sat, 24 Dec 2022 20:42:53 +0100
Message-Id: <20221224194253.3202231-10-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20221224194253.3202231-1-arne@rfc2549.org>
References: <20221224194253.3202231-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Score: 0.3 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: Signed-off-by: Arne Schwabe <arne@rfc2549.org> ---
 src/openvpn/multi.c
 | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-)
 diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index
 6c6385c6e..858d602ca
 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -473,6 +473,10
 @@ multi_instance_string(const struct mul [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1p9AQA-0000xg-Mk
Subject: [Openvpn-devel] [PATCH 9/9] Ignore OVPN_DEL_PEER_REASON_USERSPACE
 to avoid race conditions
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1753125758194682808?=
X-GMAIL-MSGID: =?utf-8?q?1753125758194682808?=

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/multi.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 6c6385c6e..858d602ca 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -473,6 +473,10 @@ multi_instance_string(const struct multi_instance *mi, bool null, struct gc_aren
             buf_printf(&out, "%s/", cn);
         }
         buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
+        if (mi->context.c2.tls_multi)
+        {
+            buf_printf(&out, " peer-id=%d", mi->context.c2.tls_multi->peer_id);
+        }
         return BSTR(&out);
     }
     else if (null)
@@ -3243,10 +3247,19 @@ process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi,
             break;
 
         case OVPN_DEL_PEER_REASON_USERSPACE:
-            /* This very likely ourselves but might be another process, so
-             * still process it */
-            reason = "ovpn-dco: userspace request";
-            break;
+            /* We assume that is ourselves. UUnfortunately, sometimes these
+             * events happen with enough delay that they can have an order of
+             *
+             * dco_del_peer x
+             * [new client connecting]
+             * dco_new_peer x
+             * event from dco_del_peer arrives.
+             *
+             * if we do not ignore this we get desynced with the kernel
+             * since we assume the peer-id is free again. The other way would
+             * be to send a dco_del_peer again
+             */
+            return;
     }
 
     /* When kernel already deleted the peer, the socket is no longer