From patchwork Tue Dec 16 14:42:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4689 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:8f10:b0:7b1:439f:bdf with SMTP id mq16csp513046mab; Tue, 16 Dec 2025 06:42:27 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWRz4KofOIuhA3mZXyoqXoS843k1TZTTkRLkeZVzx7m/iM9ur9l2VYz4OCCLleQ9O7ieP6IHKvA7QU=@openvpn.net X-Google-Smtp-Source: AGHT+IHgXgZx170FE8Tg1A2kJ7R6rvycD+uLqhGZ30Lx2CdyIeSkD00Z4bJrZ83d1RgAFK/Wk2LK X-Received: by 2002:a05:6808:2219:b0:455:ee1f:7a5c with SMTP id 5614622812f47-455ee1f7f57mr345097b6e.27.1765896146871; Tue, 16 Dec 2025 06:42:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1765896146; cv=none; d=google.com; s=arc-20240605; b=NPWAW68lQ+lpyHQGXrj6YbbHAXuromlXlnH8vXMrZTnMVl75fQ8fsF7u54OFArEfwP Hn641PyiiqTiSUs637txLuXferE8M0nO6qHSL/VpzywuUHg5JfKQSsyVSIeFA+GH9hpA 5W7ikwZZS0DUOyVdO46Y1iW82jgUiXzTKIsE1B9LQKwWJi4Basan8bLAkz5rsu9e7Okz JOduBe1VAsHf+KhjsACF2efQmzKHLEP7OL8ZoE7qXJy1A+daASVH/X4Tm9kv8kgubvEr lpvpkDH8ZCa0+/WS96LD4gPKnwl4SZQVWQueQ9Uv/Z2nIUg+p7ZIgCrvjZNXOaYCMgz9 tL8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=b6WMnUQbAj/LWpsB75QrBfY3t8YFguNhhSHKFnG8KjQ=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=F2YfTiCE3dmmvwDEtX5mDH2sOq+/D8n/2fpd3zL/ADM2mu74LcOpQQOQI63lBPvHjT C98zTFJValIBB9MqSsK9NbhAzaXtvNNHDssu/o7mcLzcPt2xpGNZmexwG+jqf14eUbcs 3t8ZaS1wTxyzzBf758dOyc4Wx4KKFzrH+RqxjyUkixQzX5PVh0nvlKBVATo39AKrs+Xh T1zbs2R+OPxqa1X75DPU7ElltveXI10m5v3mjG0e2TXJguv+yNOy5RkUglOxZk4TJvFR X6BzpKkEMJ4fqkLpZ3g8gJfJa0WcO2dTduQz8JcJ+Q4k3PuLJ94/2sSlNqmP/wxKA7qd YWdA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=jMQxbNwJ; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=UeDti43B; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CUyg2V+U; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-45598dc3dcfsi10126083b6e.110.2025.12.16.06.42.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Dec 2025 06:42:26 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=jMQxbNwJ; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=UeDti43B; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=CUyg2V+U; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=b6WMnUQbAj/LWpsB75QrBfY3t8YFguNhhSHKFnG8KjQ=; b=jMQxbNwJV53UhWTHmXWmkZQMEB M1Thj2wvI5Uleg22XvnNNyix/piahkReJ6S3r8rjac+VFzJowsxm7TmC9DiMM6f4X4uEqtc+74PmF JyihwtAEkeUDY4yL8gyXdf3tQRhJ4NjhXKKNDCz8kVVo0UxszqkGd7S30yKlDp3a559g=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vVWFq-0001gk-4O; Tue, 16 Dec 2025 14:42:22 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vVWFo-0001gX-Ip for openvpn-devel@lists.sourceforge.net; Tue, 16 Dec 2025 14:42:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jLgFvxNOZQrQbkD2ZPTdex45mJjckV+5k3jJ+e/hnfo=; b=UeDti43B3wJlTO1tdsKyarkYwy 5UoPSU6MoDnyaVVD9YuEo7C9MS1kMmFrlQxbyENyEE2HNPXsa2dn9gtQk1hEdarLk5pLTqbO65IdX yyUU8zjx6IpvfsN2ptYlYBCy+ekmbe5W0ptiZraGxUdssREvgzcp7/IbBMJuzl7tRfpQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=jLgFvxNOZQrQbkD2ZPTdex45mJjckV+5k3jJ+e/hnfo=; b=CUyg2V+UwQFIvSHkR85sVn6ZDp kSwrNKV6lW/anbV0r1e1KfjGMJboRcOoO3yo0XD7r9dt4mZVzwO1EhsA2Hw0FN7UBHzzbKn1Vatoy ng/wjcIUxQ+XHz9N18xvezydq8zNhSMsQ0ipY7eb3qrLcodZfn07orBKlP0JkSFwZV1U=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vVWFo-0001yN-2I for openvpn-devel@lists.sourceforge.net; Tue, 16 Dec 2025 14:42:21 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5BGEg8Ld012195 for ; Tue, 16 Dec 2025 15:42:08 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5BGEg8M9012194 for openvpn-devel@lists.sourceforge.net; Tue, 16 Dec 2025 15:42:08 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 16 Dec 2025 15:42:00 +0100 Message-ID: <20251216144207.12171-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe The SSL CTX is shared between all of the instances. So any change to the SSL CTX will affect all instances. Currently the CRL is also reloaded potentially multiple times as each copy of tls_root_ctx h [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vVWFo-0001yN-2I Subject: [Openvpn-devel] [PATCH v6] Change ssl_ctx in struct tls_options to be a pointer X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1851676318072592883?= X-GMAIL-MSGID: =?utf-8?q?1851676318072592883?= From: Arne Schwabe The SSL CTX is shared between all of the instances. So any change to the SSL CTX will affect all instances. Currently the CRL is also reloaded potentially multiple times as each copy of tls_root_ctx has its own crl_last_mtime and crl_last_size values that will be checked if the CRL reload is necessary. Changing it to a pointer will make it more clear that this is shared and also the CRL being reloaded multiple times. Change-Id: I21251a42f94fa1d9de083d2acd95b887658c5760 Signed-off-by: Arne Schwabe Acked-by: MaxF Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1431 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1431 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): MaxF diff --git a/src/openvpn/init.c b/src/openvpn/init.c index cd01520..ee198ce 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2964,9 +2964,10 @@ key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx) { free_key_ctx_bi(&ks->static_key); - if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) + if (tls_ctx_initialised(ks->ssl_ctx) && free_ssl_ctx) { - tls_ctx_free(&ks->ssl_ctx); + tls_ctx_free(ks->ssl_ctx); + free(ks->ssl_ctx); free_key_ctx(&ks->auth_token_key); } CLEAR(*ks); @@ -3121,14 +3122,15 @@ { const struct options *options = &c->options; - if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) + if (!tls_ctx_initialised(c->c1.ks.ssl_ctx)) { /* * Initialize the OpenSSL library's global * SSL context. */ - init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set); - if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) + ASSERT(NULL == c->c1.ks.ssl_ctx); + c->c1.ks.ssl_ctx = init_ssl(options, c->c0 && c->c0->uid_gid_chroot_set); + if (!tls_ctx_initialised(c->c1.ks.ssl_ctx)) { switch (auth_retry_get()) { diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 3e1ae78..9325e21 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -60,7 +60,7 @@ struct key_ctx_bi static_key; /* our global SSL context */ - struct tls_root_ctx ssl_ctx; + struct tls_root_ctx *ssl_ctx; /* optional TLS control channel wrapping */ struct key_type tls_auth_key_type; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 741f40a..5ee51e9 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -507,11 +507,9 @@ * Initialize SSL context. * All files are in PEM format. */ -void -init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot) +struct tls_root_ctx * +init_ssl(const struct options *options, bool in_chroot) { - ASSERT(NULL != new_ctx); - tls_clear_error(); if (key_is_external(options)) @@ -519,6 +517,9 @@ load_xkey_provider(); } + struct tls_root_ctx *new_ctx; + ALLOC_OBJ_CLEAR(new_ctx, struct tls_root_ctx); + if (options->tls_server) { tls_ctx_server_new(new_ctx); @@ -664,12 +665,13 @@ #endif tls_clear_error(); - return; + return new_ctx; err: tls_clear_error(); tls_ctx_free(new_ctx); - return; + free(new_ctx); + return NULL; } /* @@ -821,7 +823,7 @@ * Build TLS object that reads/writes ciphertext * to/from memory BIOs. */ - key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server, session); + key_state_ssl_init(&ks->ks_ssl, session->opt->ssl_ctx, session->opt->server, session); /* Set control-channel initiation mode */ ks->initial_opcode = session->initial_opcode; @@ -872,11 +874,12 @@ /* * Attempt CRL reload before TLS negotiation. Won't be performed if - * the file was not modified since the last reload + * the file was not modified since the last reload. This affects + * all instances (all instances share the same context). */ if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) { - tls_ctx_reload_crl(&session->opt->ssl_ctx, session->opt->crl_file, + tls_ctx_reload_crl(session->opt->ssl_ctx, session->opt->crl_file, session->opt->crl_file_inline); } } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index db8a798..9ee9f38 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -144,7 +144,7 @@ * Build master SSL context object that serves for the whole of OpenVPN * instantiation */ -void init_ssl(const struct options *options, struct tls_root_ctx *ctx, bool in_chroot); +struct tls_root_ctx *init_ssl(const struct options *options, bool in_chroot); /** @addtogroup control_processor * @{ */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 3129299..2764840 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -305,8 +305,10 @@ */ struct tls_options { - /* our master TLS context from which all SSL objects derived */ - struct tls_root_ctx ssl_ctx; + /* our master TLS context from which all SSL objects are derived, + * this context is shared between all instances in p2pm with + * inherit_context_child. */ + struct tls_root_ctx *ssl_ctx; /* data channel cipher, hmac, and key lengths */ struct key_type key_type; diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 3440319..28b92ed 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -157,8 +157,10 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx) { - ASSERT(NULL != ctx); - return ctx->initialised; + /* either this should be NULL or should be non-null and then have a + * valid TLS ctx inside as well */ + ASSERT(NULL == ctx || ctx->initialised); + return ctx != NULL; } #if !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index a4a6863..48bbdfc 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -147,8 +147,10 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx) { - ASSERT(NULL != ctx); - return NULL != ctx->ctx; + /* either this should be NULL or should be non-null and then have a + * valid TLS ctx inside as well */ + ASSERT(ctx == NULL || ctx->ctx != NULL); + return ctx != NULL; } bool diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 250c806..b7de550 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -572,7 +572,7 @@ tls_verify_crl_missing(const struct tls_options *opt) { if (opt->crl_file && !(opt->ssl_flags & SSLF_CRL_VERIFY_DIR) - && (opt->ssl_ctx.crl == NULL || opt->ssl_ctx.crl->version == 0)) + && (opt->ssl_ctx->crl == NULL || opt->ssl_ctx->crl->version == 0)) { return true; } diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 6cb04ee..633f78d 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -799,7 +799,7 @@ return false; } - X509_STORE *store = SSL_CTX_get_cert_store(opt->ssl_ctx.ctx); + X509_STORE *store = SSL_CTX_get_cert_store(opt->ssl_ctx->ctx); if (!store) { crypto_msg(M_FATAL, "Cannot get certificate store");