From patchwork Thu Jul 9 00:15:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1222 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id gNh0GajuBl+hVAAAIUCqbw for ; Thu, 09 Jul 2020 06:17:12 -0400 Received: from proxy5.mail.ord1c.rsapps.net ([172.28.255.1]) by director12.mail.ord1d.rsapps.net with LMTP id uPh7GajuBl8oTwAAIasKDg ; Thu, 09 Jul 2020 06:17:12 -0400 Received: from smtp12.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1c.rsapps.net with LMTP id oOkWGajuBl98OAAAPBRIyg ; Thu, 09 Jul 2020 06:17:12 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5a357b38-c1cd-11ea-8584-bc305bf03e5c-1-1 Received: from [216.105.38.7] ([216.105.38.7:45578] helo=lists.sourceforge.net) by smtp12.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CF/6D-09343-7AEE60F5; Thu, 09 Jul 2020 06:17:12 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jtTbW-0006uS-V6; Thu, 09 Jul 2020 10:16:34 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtTbC-0006tp-Fp for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=NAe2o4E7/9mSy4YYa4KFRgc7aiGRx0gutV+3iYMqPog=; b=T15Q0uFdPYsBxRLQ53AEISAsqc PHU7Hl33Beg9WQI4qxiJjB2wE95G+M5Ysvq9Co1CgIPhkUG4k8eRSgo/OmhdoyC8TAGpBDJ04C33W WfRSyDsg/Fw/HukVtMhzclVj0HIqc0K0vl8lcVy00eHjOWyrfQrm4LwlAuwL0oJ71lIg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NAe2o4E7/9mSy4YYa4KFRgc7aiGRx0gutV+3iYMqPog=; b=GPwO7HECN8S8Se6Dr+6xuBO/Dp 5EVn4ISM0C9qUjM8yPOXQmVIU3OR/k4hF4DdDZU8BprMvy+J0ksPgmQEMwjvTzMRe2GnGEaO5h7d2 HN0Wl0uksDPuMOsfKa7bUdlXkUhj6v7TRCqqHK5uGGHScwdzLsuvgQVnxzo8u5GFQmy4=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jtTbB-00F1Gp-6i for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:14 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jtTb1-000HXg-JU for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 12:16:03 +0200 Received: (nullmailer pid 11987 invoked by uid 10006); Thu, 09 Jul 2020 10:16:03 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Jul 2020 12:15:56 +0200 Message-Id: <20200709101603.11941-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jtTbB-00F1Gp-6i Subject: [Openvpn-devel] [PATCH 1/8] Deprecate ncp-disable and add improved ncp to Changes.rst X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 18 ++++++++++++++++++ src/openvpn/options.c | 5 ++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 00dd6ed8..2752d29b 100644 --- a/Changes.rst +++ b/Changes.rst @@ -13,6 +13,24 @@ ChaCha20-Poly1305 cipher support Added support for using the ChaCha20-Poly1305 cipher in the OpenVPN data channel. +Improved Data channel cipher negotiation + OpenVPN clients will now signal all supported cipher from the + ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN + servers will select the first common cipher from the ``ncp-ciphers`` + list instead of blindly pushing the first cipher of the list. This + allows to use a configuration like + ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that + prefers ChaCha20-Poly1305 but uses it only if the client supports it. + +Deprecated features +------------------- +For an up-to-date list of all deprecated options, see this wiki page: +https://community.openvpn.net/openvpn/wiki/DeprecatedOptions + +- ``ncp-disable`` has been deprecated + With the improved and matured data channel cipher negioation, the use + of ``ncp-disable`` should not be necessary anymore. + Overview of changes in 2.4 ========================== diff --git a/src/openvpn/options.c b/src/openvpn/options.c index a72b677a..75871b46 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -545,7 +545,7 @@ static const char usage_message[] = " (default=%s).\n" " Set alg=none to disable encryption.\n" "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n" - "--ncp-disable : Disable cipher negotiation.\n" + "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n" "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH @@ -7904,6 +7904,9 @@ add_option(struct options *options, { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); options->ncp_enabled = false; + msg(M_WARN, "DEPRECATED OPTION: ncp-disable. Disabling dynamic " + "cipher negioating is a depracted debug feature that will " + "be removed in OpenVPN 2.6"); } else if (streq(p[0], "prng") && p[1] && !p[3]) { From patchwork Thu Jul 9 00:15:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1223 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id sI+3IbXuBl/7IAAAIUCqbw for ; Thu, 09 Jul 2020 06:17:25 -0400 Received: from proxy3.mail.ord1c.rsapps.net ([172.28.255.1]) by director11.mail.ord1d.rsapps.net with LMTP id AOV2IbXuBl9EZwAAvGGmqA ; Thu, 09 Jul 2020 06:17:25 -0400 Received: from smtp5.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1c.rsapps.net with LMTP id SPAKIbXuBl/0fwAANIxBXg ; Thu, 09 Jul 2020 06:17:25 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp5.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 62038152-c1cd-11ea-be35-a4badb0b200d-1-1 Received: from [216.105.38.7] ([216.105.38.7:45682] helo=lists.sourceforge.net) by smtp5.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A2/73-17102-4BEE60F5; Thu, 09 Jul 2020 06:17:25 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jtTbm-0006vm-0T; Thu, 09 Jul 2020 10:16:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtTbG-0006tz-UP for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=BK5TH+Qd3JA1dHc0d18utXICvqBwVzfMW0bHNalBcBI=; b=ZYXukpdTZc6c7ujN/O80iUgXCC DkW68wsei4FduJpVG+JSejp8o/nbrpGK5OTEJyvgGky/QtQdr3iGiHFnjmpxVft0Pv9OKLGrFSkHT SgxfR3ORSt9/ihw7ESMdncWD4SfpxqLOyBCPHloLsDOjtD4afyZpYQUKL841ctj4NuJw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=BK5TH+Qd3JA1dHc0d18utXICvqBwVzfMW0bHNalBcBI=; b=AfnSdKDQS3ny5M49gTdxEmvMvG qhObj7K+xUgozl51naI9ONqIsgA3syGcd1DsEX+pTEx3OdqmZN+oLiW4eoM0Tp3/Hwo/xQQv+0Si2 b3BIRxDyK8NzUL6VYSO5HGjd+ffQN6rwFeyC2uh9tNlHF2QvuvUwLcZmRTpH4sJ2KfKA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jtTbF-00C1Oa-Ed for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:18 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jtTb1-000HXj-Ls for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 12:16:03 +0200 Received: (nullmailer pid 11990 invoked by uid 10006); Thu, 09 Jul 2020 10:16:03 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Jul 2020 12:15:57 +0200 Message-Id: <20200709101603.11941-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200709101603.11941-1-arne@rfc2549.org> References: <20200709101603.11941-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jtTbF-00C1Oa-Ed Subject: [Openvpn-devel] [PATCH 2/8] Make key_state->authenticated more state machine like X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This order the states from unauthenticated to authenticated and also changes the comparison for KS_AUTH_FALSE from != to > It also add comments and documents part using the state machine better. Remove a now obsolete comment and two obsolete ifdefs. While keeping the ifdef in ssl_verify would save a few bytes of code, this is too minor to justify keeping the ifdef Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/multi.c | 12 +++++++++--- src/openvpn/ssl.c | 7 ++++--- src/openvpn/ssl_common.h | 22 ++++++++++++++++------ src/openvpn/ssl_verify.c | 18 +++++++----------- 4 files changed, 36 insertions(+), 23 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index f1ced9b7..f1332c8d 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2352,12 +2352,12 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context)))) { #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) - bool was_authenticated = false; + bool was_unauthenticated = true; struct key_state *ks = NULL; if (mi->context.c2.tls_multi) { ks = &mi->context.c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY]; - was_authenticated = ks->authenticated; + was_unauthenticated = (ks->authenticated == KS_AUTH_FALSE); } #endif @@ -2366,7 +2366,13 @@ multi_process_post(struct multi_context *m, struct multi_instance *mi, const uns pre_select(&mi->context); #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH) - if (ks && ks->auth_control_file && ks->auth_deferred && !was_authenticated) + /* + * if we see the state transition from unauthenticated to deferred + * and a auth_control_file, we assume it got just added and add + * inotify watch to that file + */ + if (ks && ks->auth_control_file && was_unauthenticated + && (ks->authenticated == KS_AUTH_DEFERRED)) { /* watch acf file */ long watch_descriptor = inotify_add_watch(m->top.c2.inotify_fd, ks->auth_control_file, IN_CLOSE_WRITE | IN_ONESHOT); diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 9df7552d..f3fe0ecf 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2466,7 +2466,7 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) if (session->opt->server && !(session->opt->ncp_enabled && session->opt->mode == MODE_SERVER && ks->key_id <= 0)) { - if (ks->authenticated != KS_AUTH_FALSE) + if (ks->authenticated > KS_AUTH_FALSE) { if (!tls_session_generate_data_channel_keys(session)) { @@ -2659,7 +2659,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio secure_memzero(up, sizeof(*up)); /* Perform final authentication checks */ - if (ks->authenticated != KS_AUTH_FALSE) + if (ks->authenticated > KS_AUTH_FALSE) { verify_final_auth_checks(multi, session); } @@ -2684,7 +2684,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final * veto opportunity over authentication decision. */ - if ((ks->authenticated != KS_AUTH_FALSE) + if ((ks->authenticated > KS_AUTH_FALSE) && plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL)) { key_state_export_keying_material(&ks->ks_ssl, session); @@ -2715,6 +2715,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio return true; error: + ks->authenticated = KS_AUTH_FALSE; secure_memzero(ks->key_src, sizeof(*ks->key_src)); if (up) { diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index fdf589b5..dd82b77d 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -127,10 +127,23 @@ struct key_source2 { struct key_source server; /**< Random provided by server. */ }; + +/** + * This refelects the (server side) state auf authentication after the TLS + * session has been established and key_method_2_read is called. If async auth + * is enabled the state will first move to KS_AUTH_DEFERRED before eventually + * being set to KS_AUTH_TRUE or KS_AUTH_FALSE + * Only KS_AUTH_TRUE is fully authenticated + */ enum ks_auth_state { - KS_AUTH_FALSE, - KS_AUTH_TRUE, - KS_AUTH_DEFERRED + KS_AUTH_FALSE, /**< Key state is not authenticated */ + KS_AUTH_DEFERRED, /**< Key state authentication is being deferred, + * by async auth */ + KS_AUTH_TRUE /**< Key state is authenticated. TLS and user/pass + * succeeded. This include AUTH_PENDING/OOB + * authentication as those hold the + * connection artifically in KS_AUTH_DEFERRED + */ }; /** @@ -194,8 +207,6 @@ struct key_state enum ks_auth_state authenticated; time_t auth_deferred_expire; -#ifdef ENABLE_DEF_AUTH - /* If auth_deferred is true, authentication is being deferred */ #ifdef MANAGEMENT_DEF_AUTH unsigned int mda_key_id; unsigned int mda_status; @@ -205,7 +216,6 @@ struct key_state time_t acf_last_mod; char *auth_control_file; #endif -#endif }; /** Control channel wrapping (--tls-auth/--tls-crypt) context */ diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index e28f1f3a..990fba99 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -950,7 +950,7 @@ tls_authentication_status(struct tls_multi *multi, const int latency) if (DECRYPT_KEY_ENABLED(multi, ks)) { active = true; - if (ks->authenticated != KS_AUTH_FALSE) + if (ks->authenticated > KS_AUTH_FALSE) { #ifdef ENABLE_DEF_AUTH unsigned int s1 = ACF_DISABLED; @@ -1249,6 +1249,9 @@ verify_user_pass_management(struct tls_session *session, /* * Main username/password verification entry point + * + * Will set session->ks[KS_PRIMARY].authenticated according to + * result of the username/password verifcation */ void verify_user_pass(struct user_pass *up, struct tls_multi *multi, @@ -1414,17 +1417,10 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi, */ send_push_reply_auth_token(multi); } -#ifdef ENABLE_DEF_AUTH msg(D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s", (ks->authenticated == KS_AUTH_DEFERRED) ? "deferred" : "succeeded", up->username, (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); -#else - msg(D_HANDSHAKE, "TLS: Username/Password authentication %s for username '%s' %s", - "succeeded", - up->username, - (session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) ? "[CN SET]" : ""); -#endif } else { @@ -1445,7 +1441,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) } /* Don't allow the CN to change once it's been locked */ - if (ks->authenticated != KS_AUTH_FALSE && multi->locked_cn) + if (ks->authenticated > KS_AUTH_FALSE && multi->locked_cn) { const char *cn = session->common_name; if (cn && strcmp(cn, multi->locked_cn)) @@ -1461,7 +1457,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) } /* Don't allow the cert hashes to change once they have been locked */ - if (ks->authenticated != KS_AUTH_FALSE && multi->locked_cert_hash_set) + if (ks->authenticated > KS_AUTH_FALSE && multi->locked_cert_hash_set) { const struct cert_hash_set *chs = session->cert_hash_set; if (chs && !cert_hash_compare(chs, multi->locked_cert_hash_set)) @@ -1475,7 +1471,7 @@ verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) } /* verify --client-config-dir based authentication */ - if (ks->authenticated != KS_AUTH_FALSE && session->opt->client_config_dir_exclusive) + if (ks->authenticated > KS_AUTH_FALSE && session->opt->client_config_dir_exclusive) { struct gc_arena gc = gc_new(); From patchwork Thu Jul 9 00:15:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1219 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id IOEqKaLuBl8QNQAAIUCqbw for ; Thu, 09 Jul 2020 06:17:06 -0400 Received: from proxy8.mail.ord1c.rsapps.net ([172.28.255.1]) by director12.mail.ord1d.rsapps.net with LMTP id kCc4KaLuBl/qSgAAIasKDg ; Thu, 09 Jul 2020 06:17:06 -0400 Received: from smtp9.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1c.rsapps.net with LMTP id cHPLKKLuBl9jdAAAHz/atg ; Thu, 09 Jul 2020 06:17:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 56bc88c0-c1cd-11ea-9b4d-0026b95bddb7-1-1 Received: from [216.105.38.7] ([216.105.38.7:46972] helo=lists.sourceforge.net) by smtp9.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C3/B6-16446-1AEE60F5; Thu, 09 Jul 2020 06:17:06 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jtTbD-0002CH-Uc; Thu, 09 Jul 2020 10:16:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtTbA-0002Bi-AA for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=F/ocLdq24dlNbASxD0rj2xlFyADNBzdPK1GwCo6/Z/4=; b=U76lfcjjNiUAIKaEX1C76CA1st KYhxM5BqjoKLUlZbUFs0vet9zRT1isBaPsEqJn64PqbPXw/NKN0aOCJ50ZfD1fZUQZJz3sB/U9Z78 GESVSCDT1hIa12WQ2NsFFAS6CCizMJGJp+HPDwIBwWNvTiZKNwO60wgl3AUq3KOqmZlI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=F/ocLdq24dlNbASxD0rj2xlFyADNBzdPK1GwCo6/Z/4=; b=dTOx+PfLwA5LNRxVa/1l6uxDLm ONOH6dCMhSnH9vPQ0ZSRaKlqAFrfsEuQjwOSZ4INqcn7Ly3nH3bZMwDT0J1x5dJH8rvw28Ahgi8Hr EAnRnulasWUmB0N0f8tC2NvAGQ4Azi3RijWjwvTuE8dYGiVKut9chEDAofymMS1t3MHw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jtTb8-000gfc-90 for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:12 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jtTb1-000HXo-Nm for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 12:16:03 +0200 Received: (nullmailer pid 11995 invoked by uid 10006); Thu, 09 Jul 2020 10:16:03 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Jul 2020 12:15:58 +0200 Message-Id: <20200709101603.11941-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200709101603.11941-1-arne@rfc2549.org> References: <20200709101603.11941-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jtTb8-000gfc-90 Subject: [Openvpn-devel] [PATCH 3/8] Extract process_incoming_push_reply from process_incoming_push_msg X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This is a small refactoring to make both function more readable. It also eliminates the ret variable in process_incoming_push_msg that now serves no purpose anymore. Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/push.c | 113 +++++++++++++++++++++++++-------------------- 1 file changed, 64 insertions(+), 49 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 56d652a3..d74323db 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -855,6 +855,63 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) } } +static int +process_incoming_push_reply(struct context *c, + unsigned int permission_mask, + const unsigned int *option_types_found, + struct buffer *buf) +{ + int ret = PUSH_MSG_ERROR; + const uint8_t ch = buf_read_u8(buf); + if (ch == ',') + { + struct buffer buf_orig = (*buf); + if (!c->c2.pulled_options_digest_init_done) + { + c->c2.pulled_options_state = md_ctx_new(); + md_ctx_init(c->c2.pulled_options_state, md_kt_get("SHA256")); + c->c2.pulled_options_digest_init_done = true; + } + if (!c->c2.did_pre_pull_restore) + { + pre_pull_restore(&c->options, &c->c2.gc); + c->c2.did_pre_pull_restore = true; + } + if (apply_push_options(&c->options, + buf, + permission_mask, + option_types_found, + c->c2.es)) + { + push_update_digest(c->c2.pulled_options_state, &buf_orig, + &c->options); + switch (c->options.push_continuation) + { + case 0: + case 1: + md_ctx_final(c->c2.pulled_options_state, + c->c2.pulled_options_digest.digest); + md_ctx_cleanup(c->c2.pulled_options_state); + md_ctx_free(c->c2.pulled_options_state); + c->c2.pulled_options_state = NULL; + c->c2.pulled_options_digest_init_done = false; + ret = PUSH_MSG_REPLY; + break; + + case 2: + ret = PUSH_MSG_CONTINUATION; + break; + } + } + } + else if (ch == '\0') + { + ret = PUSH_MSG_REPLY; + } + /* show_settings (&c->options); */ + return ret; +} + int process_incoming_push_msg(struct context *c, const struct buffer *buffer, @@ -862,64 +919,22 @@ process_incoming_push_msg(struct context *c, unsigned int permission_mask, unsigned int *option_types_found) { - int ret = PUSH_MSG_ERROR; struct buffer buf = *buffer; if (buf_string_compare_advance(&buf, "PUSH_REQUEST")) { - ret = process_incoming_push_request(c); + return process_incoming_push_request(c); } else if (honor_received_options && buf_string_compare_advance(&buf, "PUSH_REPLY")) { - const uint8_t ch = buf_read_u8(&buf); - if (ch == ',') - { - struct buffer buf_orig = buf; - if (!c->c2.pulled_options_digest_init_done) - { - c->c2.pulled_options_state = md_ctx_new(); - md_ctx_init(c->c2.pulled_options_state, md_kt_get("SHA256")); - c->c2.pulled_options_digest_init_done = true; - } - if (!c->c2.did_pre_pull_restore) - { - pre_pull_restore(&c->options, &c->c2.gc); - c->c2.did_pre_pull_restore = true; - } - if (apply_push_options(&c->options, - &buf, - permission_mask, - option_types_found, - c->c2.es)) - { - push_update_digest(c->c2.pulled_options_state, &buf_orig, - &c->options); - switch (c->options.push_continuation) - { - case 0: - case 1: - md_ctx_final(c->c2.pulled_options_state, c->c2.pulled_options_digest.digest); - md_ctx_cleanup(c->c2.pulled_options_state); - md_ctx_free(c->c2.pulled_options_state); - c->c2.pulled_options_state = NULL; - c->c2.pulled_options_digest_init_done = false; - ret = PUSH_MSG_REPLY; - break; - - case 2: - ret = PUSH_MSG_CONTINUATION; - break; - } - } - } - else if (ch == '\0') - { - ret = PUSH_MSG_REPLY; - } - /* show_settings (&c->options); */ + return process_incoming_push_reply(c, permission_mask, + option_types_found, &buf); + } + else + { + return PUSH_MSG_ERROR; } - return ret; } From patchwork Thu Jul 9 00:15:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1220 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id 4M50BKPuBl8QNQAAIUCqbw for ; Thu, 09 Jul 2020 06:17:07 -0400 Received: from proxy4.mail.ord1c.rsapps.net ([172.28.255.1]) by director7.mail.ord1d.rsapps.net with LMTP id wGRPBKPuBl9/MwAAovjBpQ ; Thu, 09 Jul 2020 06:17:07 -0400 Received: from smtp40.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1c.rsapps.net with LMTP id 0MXyA6PuBl/DOgAAjcXvpA ; Thu, 09 Jul 2020 06:17:07 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp40.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 57092734-c1cd-11ea-b7c2-525400b3abc9-1-1 Received: from [216.105.38.7] ([216.105.38.7:46988] helo=lists.sourceforge.net) by smtp40.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id FD/06-08368-2AEE60F5; Thu, 09 Jul 2020 06:17:06 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jtTbE-0002Cc-4U; Thu, 09 Jul 2020 10:16:16 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtTbC-0002C3-Ob for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=w4nSDxlF5ASxGg36d/ghYjA/77N86MYgfWpLeO1g3iQ=; b=YQkS5t1ujnaLWqHgyYD03aFzNS BQJvHZvoHws8Sk/Qrs0OfE9TEiBuGlHAMRf7WhO768P/j5m8OTD8pZrTFflxJ/FuZ6HKxHyBwVmuL QdvPdGVIZHVoG+jnoHezdb7pIwsGU8LdaHaNZ9Mr6sAfNvDXcvNMvLDijULCWMAmvl34=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=w4nSDxlF5ASxGg36d/ghYjA/77N86MYgfWpLeO1g3iQ=; b=E05O7iIs8i1NUhL331OIyEzIZi cZ+OBQIS7dxOexk33IQHZblHiYJrAsKUJsWXYCS4nuoWW6a5lTqRTvg4+OIFbI2VQb0ureykmY9+R ySQnhMYG56yKnZ8wLM2aZIzn7CLWug8a9HF/D4p1R5FLvJd9/P7qlpwUKmRR4SXK3w38=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jtTbB-00F1Gq-66 for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:14 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jtTb1-000HXs-Pu for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 12:16:03 +0200 Received: (nullmailer pid 11998 invoked by uid 10006); Thu, 09 Jul 2020 10:16:03 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Jul 2020 12:15:59 +0200 Message-Id: <20200709101603.11941-4-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200709101603.11941-1-arne@rfc2549.org> References: <20200709101603.11941-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jtTbB-00F1Gq-66 Subject: [Openvpn-devel] [PATCH 4/8] Move protocol option negotiation from push_prepare to new function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This clean ups the code and removes the surprising side effects of preparing a push reply to also select protocol options. We also remember if we have seen a push request without async push. This improves reaction time if deferred auth is involved like managment interface deferred auth. The other benefit is removing a number of ifdefs. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 4 +-- src/openvpn/multi.c | 81 ++++++++++++++++++++++++++++++++++++++++--- src/openvpn/openvpn.h | 2 -- src/openvpn/push.c | 66 +++++------------------------------ 4 files changed, 88 insertions(+), 65 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 885cf126..5c4370a8 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1123,8 +1123,8 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo } /* - * Drop non-TLS packet if client-connect script/plugin has not - * yet succeeded. + * Drop non-TLS packet if client-connect script/plugin and cipher selection + * has not yet succeeded. */ if (c->c2.context_auth != CAS_SUCCEEDED) { diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index f1332c8d..f04c4c90 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -824,8 +824,8 @@ multi_create_instance(struct multi_context *m, const struct mroute_addr *real) mi->did_cid_hash = true; #endif -#ifdef ENABLE_ASYNC_PUSH mi->context.c2.push_request_received = false; +#ifdef ENABLE_ASYNC_PUSH mi->inotify_watch = -1; #endif @@ -1772,6 +1772,78 @@ multi_client_connect_setenv(struct multi_context *m, gc_free(&gc); } +/** + * Calculates the options that depend on the client capabilities + * based on local options and available peer info + * - choosen cipher + * - peer id + */ +static void +multi_client_set_protocol_options(struct context *c) +{ + + const char *optstr = NULL; + struct tls_multi *tls_multi = c->c2.tls_multi; + const char *const peer_info = tls_multi->peer_info; + struct options *o = &c->options; + + /* Send peer-id if client supports it */ + optstr = peer_info ? strstr(peer_info, "IV_PROTO=") : NULL; + if (optstr) + { + int proto = 0; + int r = sscanf(optstr, "IV_PROTO=%d", &proto); + if ((r == 1) && (proto >= 2)) + { + tls_multi->use_peer_id = true; + } + } + + /* Select cipher if client supports Negotiable Crypto Parameters */ + if (o->ncp_enabled) + { + /* if we have already created our key, we cannot *change* our own + * cipher -> so log the fact and push the "what we have now" cipher + * (so the client is always told what we expect it to use) + */ + const struct tls_session *session = &tls_multi->session[TM_ACTIVE]; + if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized) + { + msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but " + "server has already generated data channel keys, " + "re-sending previously negotiated cipher '%s'", + o->ciphername ); + } + else + { + /* + * Push the first cipher from --ncp-ciphers to the client that + * the client announces to be supporting. + */ + char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, o->ciphername, + peer_info, + tls_multi->remote_ciphername, + &o->gc); + + if (push_cipher) + { + o->ciphername = push_cipher; + } + else + { + struct gc_arena gc = gc_new(); + const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc); + msg(M_INFO, "PUSH: No common cipher between server and client." + "Expect this connection not to work. " + "Server ncp-ciphers: '%s', client supported ciphers '%s'", + o->ncp_ciphers, peer_ciphers); + gc_free(&gc); + } + } + } +} + + /* * Called as soon as the SSL/TLS connection authenticates. * @@ -2074,13 +2146,14 @@ script_failed: /* set context-level authentication flag */ mi->context.c2.context_auth = CAS_SUCCEEDED; -#ifdef ENABLE_ASYNC_PUSH - /* authentication complete, send push reply */ + /* authentication complete, calculate dynamic client specific options */ + multi_client_set_protocol_options(&mi->context); + + /* send push reply if ready*/ if (mi->context.c2.push_request_received) { process_incoming_push_request(&mi->context); } -#endif } else { diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 4609af3e..a1308852 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -432,9 +432,7 @@ struct context_2 #if P2MP /* --ifconfig endpoints to be pushed to client */ -#ifdef ENABLE_ASYNC_PUSH bool push_request_received; -#endif bool push_ifconfig_defined; time_t sent_push_reply_expiry; in_addr_t push_ifconfig_local; diff --git a/src/openvpn/push.c b/src/openvpn/push.c index d74323db..92a28a14 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -437,7 +437,7 @@ prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc, } /** - * Prepare push options, based on local options and available peer info. + * Prepare push options, based on local options * * @param context context structure storing data for VPN tunnel * @param gc gc arena for allocating push options @@ -449,9 +449,7 @@ bool prepare_push_reply(struct context *c, struct gc_arena *gc, struct push_list *push_list) { - const char *optstr = NULL; struct tls_multi *tls_multi = c->c2.tls_multi; - const char *const peer_info = tls_multi->peer_info; struct options *o = &c->options; /* ipv6 */ @@ -480,18 +478,10 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, 0, gc)); } - /* Send peer-id if client supports it */ - optstr = peer_info ? strstr(peer_info, "IV_PROTO=") : NULL; - if (optstr) + if (tls_multi->use_peer_id) { - int proto = 0; - int r = sscanf(optstr, "IV_PROTO=%d", &proto); - if ((r == 1) && (proto >= 2)) - { - push_option_fmt(gc, push_list, M_USAGE, "peer-id %d", - tls_multi->peer_id); - tls_multi->use_peer_id = true; - } + push_option_fmt(gc, push_list, M_USAGE, "peer-id %d", + tls_multi->peer_id); } /* * If server uses --auth-gen-token and we have an auth token @@ -499,47 +489,11 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, */ prepare_auth_token_push_reply(tls_multi, gc, push_list); - /* Push cipher if client supports Negotiable Crypto Parameters */ - if (o->ncp_enabled) - { - /* if we have already created our key, we cannot *change* our own - * cipher -> so log the fact and push the "what we have now" cipher - * (so the client is always told what we expect it to use) - */ - const struct tls_session *session = &tls_multi->session[TM_ACTIVE]; - if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized) - { - msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but " - "server has already generated data channel keys, " - "re-sending previously negotiated cipher '%s'", - o->ciphername ); - } - else - { - /* - * Push the first cipher from --ncp-ciphers to the client that - * the client announces to be supporting. - */ - char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, o->ciphername, - peer_info, - tls_multi->remote_ciphername, - &o->gc); - - if (push_cipher) - { - o->ciphername = push_cipher; - } - else - { - const char *peer_ciphers = tls_peer_ncp_list(peer_info, gc); - msg(M_INFO, "PUSH: No common cipher between server and client." - "Expect this connection not to work. " - "Server ncp-ciphers: '%s', client supported ciphers '%s'", - o->ncp_ciphers, peer_ciphers); - } - } - push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); - } + /* + * Push the selected cipher, at this point the cipher has been + * already negioated and been fixed + */ + push_option_fmt(gc, push_list, M_USAGE, "cipher %s", o->ciphername); return true; } @@ -794,9 +748,7 @@ process_incoming_push_request(struct context *c) { int ret = PUSH_MSG_ERROR; -#ifdef ENABLE_ASYNC_PUSH c->c2.push_request_received = true; -#endif if (tls_authentication_status(c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED || c->c2.context_auth == CAS_FAILED) { const char *client_reason = tls_client_reason(c->c2.tls_multi); From patchwork Thu Jul 9 00:16:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1216 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id yPkQHp/uBl8pBwAAIUCqbw for ; Thu, 09 Jul 2020 06:17:03 -0400 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id cBXzHZ/uBl+BOwAAalYnBA ; Thu, 09 Jul 2020 06:17:03 -0400 Received: from smtp39.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTP id kPjvHZ/uBl9gWwAAtEH5vw ; Thu, 09 Jul 2020 06:17:03 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp39.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 54abb218-c1cd-11ea-b51a-5452006c005a-1-1 Received: from [216.105.38.7] ([216.105.38.7:46926] helo=lists.sourceforge.net) by smtp39.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 99/55-10705-E9EE60F5; Thu, 09 Jul 2020 06:17:02 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jtTbE-0002CP-1V; Thu, 09 Jul 2020 10:16:16 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtTbA-0002Bs-Ol for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AULOSMRSyForO4l/c9aKxzHat/HlCKsrDvsTu4U7X3Y=; b=QefQE+qLU46U8IefdXvBfWtnui EWsJu6fJ2FwsZH3AJhfbSz8wBUlKjoxt+FRtTeDfoo4jy0/qhJ66zBdvmutHoOaJCSc37fEejlD5J 9JgU7ZVJb43lM0n1XqbhwRew8zX8ojywzcaBd4MEdDtaqcG8UkhCQXP69kkeCFHHYx7o=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AULOSMRSyForO4l/c9aKxzHat/HlCKsrDvsTu4U7X3Y=; b=IEoDN+fllnaYx5sg5L67TT4trl iTLXs3rFjmFEfgz6ItAmnng+Cn9sxF50ErfAj55sYLOad3awEdSKUlglmZNXgvg7DMLEHg0hdyGU2 76Zk6spmFuHJdNHYf4edZmuWbbNaIzNnA/AhFXIZpIpTfvQhgI8fd1O6pdWVLRHWp3VE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jtTb9-00C1Nv-5S for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:12 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jtTb1-000HXw-Rr for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 12:16:03 +0200 Received: (nullmailer pid 12001 invoked by uid 10006); Thu, 09 Jul 2020 10:16:03 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Jul 2020 12:16:00 +0200 Message-Id: <20200709101603.11941-5-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200709101603.11941-1-arne@rfc2549.org> References: <20200709101603.11941-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jtTb9-00C1Nv-5S Subject: [Openvpn-devel] [PATCH 5/8] Generate data channel keys after connect options have been parsed X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The simplify the control flow, it makes more sense to generate the data keys when all the prerequisites for generating the data channel keys (ncp cipher selection etc) are met instead of delaying it to the next incoming PUSH_REQUEST message. This also eliminates the need for the hack introduced by commit 3b06b57d9 to generate the data channel keys on the async file close event. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/multi.c | 54 ++++++++++++++++++++++++++------------------- src/openvpn/push.c | 27 ++++------------------- 2 files changed, 35 insertions(+), 46 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index f04c4c90..810e489a 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1843,6 +1843,30 @@ multi_client_set_protocol_options(struct context *c) } } +/** + * Generates the data channel keys + */ +static bool +multi_client_generate_tls_keys(struct context *c) +{ + struct frame *frame_fragment = NULL; +#ifdef ENABLE_FRAGMENT + if (c->options.ce.fragment) + { + frame_fragment = &c->c2.frame_fragment; + } +#endif + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + if (!tls_session_update_crypto_params(session, &c->options, + &c->c2.frame, frame_fragment)) + { + msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); + register_signal(c, SIGUSR1, "process-push-msg-failed"); + return false; + } + + return true; +} /* * Called as soon as the SSL/TLS connection authenticates. @@ -2149,7 +2173,13 @@ script_failed: /* authentication complete, calculate dynamic client specific options */ multi_client_set_protocol_options(&mi->context); - /* send push reply if ready*/ + /* Generate data channel keys */ + if (!multi_client_generate_tls_keys(&mi->context)) + { + mi->context.c2.context_auth = CAS_FAILED; + } + + /* send push reply if ready */ if (mi->context.c2.push_request_received) { process_incoming_push_request(&mi->context); @@ -2205,28 +2235,6 @@ multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags) { /* continue authentication, perform NCP negotiation and send push_reply */ multi_process_post(m, mi, mpp_flags); - - /* With NCP and deferred authentication, we perform cipher negotiation and - * data channel keys generation on incoming push request, assuming that auth - * succeeded. When auth succeeds in between push requests and async push is used, - * we send push reply immediately. Above multi_process_post() call performs - * NCP negotiation and here we do keys generation. */ - - struct context *c = &mi->context; - struct frame *frame_fragment = NULL; -#ifdef ENABLE_FRAGMENT - if (c->options.ce.fragment) - { - frame_fragment = &c->c2.frame_fragment; - } -#endif - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - if (!tls_session_update_crypto_params(session, &c->options, - &c->c2.frame, frame_fragment)) - { - msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); - register_signal(c, SIGUSR1, "init-data-channel-failed"); - } } else { diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 92a28a14..5bc4328c 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -359,30 +359,11 @@ incoming_push_message(struct context *c, const struct buffer *buffer) } event_timeout_clear(&c->c2.push_request_interval); } - else if (status == PUSH_MSG_REQUEST) - { - if (c->options.mode == MODE_SERVER) - { - struct frame *frame_fragment = NULL; -#ifdef ENABLE_FRAGMENT - if (c->options.ce.fragment) - { - frame_fragment = &c->c2.frame_fragment; - } -#endif - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - if (!tls_session_update_crypto_params(session, &c->options, - &c->c2.frame, frame_fragment)) - { - msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); - goto error; - } - } - } goto cleanup; + error: - register_signal(c, SIGUSR1, "process-push-msg-failed"); + register_signal(c, SIGUSR1, "process-push-msg-failed"); cleanup: gc_free(&gc); } @@ -748,7 +729,6 @@ process_incoming_push_request(struct context *c) { int ret = PUSH_MSG_ERROR; - c->c2.push_request_received = true; if (tls_authentication_status(c->c2.tls_multi, 0) == TLS_AUTHENTICATION_FAILED || c->c2.context_auth == CAS_FAILED) { const char *client_reason = tls_client_reason(c->c2.tls_multi); @@ -810,7 +790,7 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) static int process_incoming_push_reply(struct context *c, unsigned int permission_mask, - const unsigned int *option_types_found, + unsigned int *option_types_found, struct buffer *buf) { int ret = PUSH_MSG_ERROR; @@ -875,6 +855,7 @@ process_incoming_push_msg(struct context *c, if (buf_string_compare_advance(&buf, "PUSH_REQUEST")) { + c->c2.push_request_received = true; return process_incoming_push_request(c); } else if (honor_received_options From patchwork Thu Jul 9 00:16:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1221 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id wABrEKfuBl+hVAAAIUCqbw for ; Thu, 09 Jul 2020 06:17:11 -0400 Received: from proxy7.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id AMJQEKfuBl+tMwAAovjBpQ ; Thu, 09 Jul 2020 06:17:11 -0400 Received: from smtp8.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1d.rsapps.net with LMTP id SO21D6fuBl9qAwAAMe1Fpw ; Thu, 09 Jul 2020 06:17:11 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 5980896c-c1cd-11ea-8c46-782bcb03304b-1-1 Received: from [216.105.38.7] ([216.105.38.7:46050] helo=lists.sourceforge.net) by smtp8.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 8D/D3-11983-6AEE60F5; Thu, 09 Jul 2020 06:17:10 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jtTbU-0004Y9-GF; Thu, 09 Jul 2020 10:16:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtTbG-0004VV-OF for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=CMebTfevPBTD+TeqTdVCXWJPs1d9XSn8Oj4HSOFz3D8=; b=aR1NSNFElyRomf18fL/xlAB8E4 kEyRwnxHeMwoc1kAELh8cLvf7/ZY+AmPQOwoyCH1WxwvEFXtypKj+rh0w0L3ML+EYwux9eMo9K8pw jmRPj3lT5udkFyDhf10DP48BhXPpGikqqKL1xpWO/8jF5MTTvPqgMFctCvOtck5Sa92k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CMebTfevPBTD+TeqTdVCXWJPs1d9XSn8Oj4HSOFz3D8=; b=j79jVOs8w7ofV4Vt4FwOK06ftc nQwR9WKcvlepSHIvSTQu6OC/I3VNaKwLvXdw18Pkc5Xt+8udeCg3ebotOyD66AvEUr7t08YJ02X/L UyZv5sRu+wDkozbuw1i6JtYiC0lDZsl4bPI2AinXh0NKRVWYIsJ0J35CtINsUw1+wSGA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jtTbF-000ggd-Md for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:18 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jtTb1-000HY0-Tv for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 12:16:03 +0200 Received: (nullmailer pid 12004 invoked by uid 10006); Thu, 09 Jul 2020 10:16:03 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Jul 2020 12:16:01 +0200 Message-Id: <20200709101603.11941-6-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200709101603.11941-1-arne@rfc2549.org> References: <20200709101603.11941-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jtTbF-000ggd-Md Subject: [Openvpn-devel] [PATCH 6/8] Cleanup: Remove special case code for old poor man's NCP. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Ever since the NCPv2 the ncp_get_best_cipher uses the global options->ncp_enabled option and ignore the tls_session->ncp_enabled option. The server side's poor man's NCP is implemented as seeing the list of supported ciphers from the peer as just one cipher so this special handling for poor man's NCP of the older NCP here is not needed anymore. Theoretically we can now get rid of tls_session->ncp_enabled but doing so requires more refactoring since options is not available in the methods that still use it. And when we remove ncp-disable the variable will be removed anyway. This commit moves the data channel key generation for the corner case of a client not supporting NCP but having the same cipher as the server to the same function that also generates data channel keys for NCP and poort man's NCP. This has an unintended side effect of changing the calculated frame size for this special case. The old path did call tls_session_update_crypto_params. To avoid this change in behaviour, this patch adds a hacky workaround for this. A proper solution for this needs still be found but this allows the patch set to be merged. Document the remaining usage of tls_poor_mans_ncp better. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/init.c | 2 ++ src/openvpn/ssl.c | 21 +++++++-------------- 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 91b919d5..e9c01629 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2376,6 +2376,8 @@ do_deferred_options(struct context *c, const unsigned int found) } else if (c->options.ncp_enabled) { + /* If the server did not push a --cipher, we will switch to the + * remote cipher if it is in our ncp-ciphers list */ tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername); } struct frame *frame_fragment = NULL; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index f3fe0ecf..668bcbd9 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1986,6 +1986,12 @@ tls_session_update_crypto_params(struct tls_session *session, options->keysize = 0; } } + else + { + /* Very hacky workaround and quick fix for our calculation + * not correct to avoid a regression */ + return tls_session_generate_data_channel_keys(session); + } init_key_type(&session->opt->key_type, options->ciphername, options->authname, options->keysize, true, true); @@ -2463,8 +2469,7 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) * generation is postponed until after the pull/push, so we can process pushed * cipher directives. */ - if (session->opt->server && !(session->opt->ncp_enabled - && session->opt->mode == MODE_SERVER && ks->key_id <= 0)) + if (session->opt->server && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0)) { if (ks->authenticated > KS_AUTH_FALSE) { @@ -2616,18 +2621,6 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio multi->remote_ciphername = options_string_extract_option(options, "cipher", NULL); - if (!tls_peer_supports_ncp(multi->peer_info)) - { - /* Peer does not support NCP, but leave NCP enabled if the local and - * remote cipher do not match to attempt 'poor-man's NCP'. - */ - if (multi->remote_ciphername == NULL - || 0 == strcmp(multi->remote_ciphername, multi->opt.config_ciphername)) - { - session->opt->ncp_enabled = false; - } - } - if (tls_session_user_pass_enabled(session)) { /* Perform username/password authentication */ From patchwork Thu Jul 9 00:16:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1217 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id aIgQLJ/uBl9KSQAAIUCqbw for ; Thu, 09 Jul 2020 06:17:03 -0400 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id sJv2K5/uBl+LMwAAovjBpQ ; Thu, 09 Jul 2020 06:17:03 -0400 Received: from smtp24.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTP id 8FzcK5/uBl9VPQAAyH2SIw ; Thu, 09 Jul 2020 06:17:03 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 551f2fcc-c1cd-11ea-8d23-b8ca3a674470-1-1 Received: from [216.105.38.7] ([216.105.38.7:45986] helo=lists.sourceforge.net) by smtp24.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id BC/86-30873-F9EE60F5; Thu, 09 Jul 2020 06:17:03 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jtTbD-0004V5-UR; Thu, 09 Jul 2020 10:16:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtTbA-0004Uq-B4 for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=rzf3hKg/0qd7jFMb4OrQyiarcHs5ejqBepvp31aaz4c=; b=Gkgy4kdJ6Yd7I0Jx4mSdQ5RrEr GyUY0vz/JZj5vpVFy5X9iT23NMO7/BOpNCheSKjL8TBeort7eJnxH2X7HnpmzCBvyLMvJTxzrqUlw XZWlivx0/sfg97QQo1eoGjg5x+VvsuKlIHrDd/Z/o1ccmhLG1CUsmRsuo92S4SZEr+18=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=rzf3hKg/0qd7jFMb4OrQyiarcHs5ejqBepvp31aaz4c=; b=GLb94+SZdOof30a3MS3iRqvfaS tk2Ldq0d+YDTEgZCfc+CTBTc9kLCB9jKbypUc/yXmozwmE49iPa6/OuEzEonWO/AMaSam12bjM2Uo LxiMQseMCsSWGYTLwD/78xngphbk3JI+ySs9Lo2VHaIY3YQG+05CQShvRFQs3HrcINsY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jtTb8-000gfd-F1 for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:12 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jtTb1-000HY4-Vi for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 12:16:03 +0200 Received: (nullmailer pid 12007 invoked by uid 10006); Thu, 09 Jul 2020 10:16:03 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Jul 2020 12:16:02 +0200 Message-Id: <20200709101603.11941-7-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200709101603.11941-1-arne@rfc2549.org> References: <20200709101603.11941-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jtTb8-000gfd-F1 Subject: [Openvpn-devel] [PATCH 7/8] Removed unused definition X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-By: Gert Doering --- src/openvpn/ssl.c | 5 +++-- src/openvpn/ssl.h | 7 ------- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 668bcbd9..4ee4c245 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1988,8 +1988,9 @@ tls_session_update_crypto_params(struct tls_session *session, } else { - /* Very hacky workaround and quick fix for our calculation - * not correct to avoid a regression */ + /* Very hacky workaround and quick fix for frame calculation + * different when adjusting frame size when the original and new cipher + * are identical to avoid a regression with client without NCP */ return tls_session_generate_data_channel_keys(session); } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 2f6f7657..58a9b0d4 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -89,13 +89,6 @@ #define TLS_MULTI_HORIZON 2 /* call tls_multi_process frequently for n seconds after * every packet sent/received action */ -/* - * The SSL/TLS worker thread will wait at most this many seconds for the - * interprocess communication pipe to the main thread to be ready to accept - * writes. - */ -#define TLS_MULTI_THREAD_SEND_TIMEOUT 5 - /* Interval that tls_multi_process should call tls_authentication_status */ #define TLS_MULTI_AUTH_STATUS_INTERVAL 10 From patchwork Thu Jul 9 00:16:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1218 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id sNRbJKHuBl+hVAAAIUCqbw for ; Thu, 09 Jul 2020 06:17:05 -0400 Received: from proxy2.mail.ord1c.rsapps.net ([172.28.255.1]) by director12.mail.ord1d.rsapps.net with LMTP id GF5lJKHuBl8ETgAAIasKDg ; Thu, 09 Jul 2020 06:17:05 -0400 Received: from smtp13.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1c.rsapps.net with LMTP id wBLwI6HuBl8nagAA311kuQ ; Thu, 09 Jul 2020 06:17:05 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 563e55fe-c1cd-11ea-92d7-bc305bf03494-1-1 Received: from [216.105.38.7] ([216.105.38.7:46958] helo=lists.sourceforge.net) by smtp13.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 7D/6A-20374-1AEE60F5; Thu, 09 Jul 2020 06:17:05 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jtTbU-0002Es-7r; Thu, 09 Jul 2020 10:16:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jtTbH-0002DB-1w for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=r2Gox2dBufvtuFACCzog6+mwFEBeUqtp8K/rGFZWR/w=; b=MLwvSb/gg/gFStksYfiS4RrPAu ijwC95w2ZNMnvKs0ln0K1YXOFT1xkAKF9oYMoSreMNwo6FG3ifWv9+d1i8Z7rar161hMua8y7r5Sc YAsm5VHiJMm1WchqyHWu2UzDRvTGZcc4QvgOs4oSJK/tWWM0VFe1TDUJCgBTeQ/qpcGA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=r2Gox2dBufvtuFACCzog6+mwFEBeUqtp8K/rGFZWR/w=; b=HHuArTV0wglb+mFRARyEwHPZRe ZRMcNs2r6HQPCchGwwmfrfvNfjaGKYpRis68Tnq6d7UKdIsEahb+IdkGDuQ7DtVFx8Ir3qWKhW8Mr 8vMGR7uYtb7IWSpZl9GraJYBV+lo51PiR9VWZma6tG2i+27hE+JPpDyvwT+ued3QbOtI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jtTbF-000gge-VR for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 10:16:19 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jtTb2-000HY8-4L for openvpn-devel@lists.sourceforge.net; Thu, 09 Jul 2020 12:16:04 +0200 Received: (nullmailer pid 12010 invoked by uid 10006); Thu, 09 Jul 2020 10:16:03 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 Jul 2020 12:16:03 +0200 Message-Id: <20200709101603.11941-8-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200709101603.11941-1-arne@rfc2549.org> References: <20200709101603.11941-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jtTbF-000gge-VR Subject: [Openvpn-devel] [PATCH 8/8] Code cleanup: remove superflous variable X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- src/openvpn/ssl.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 4ee4c245..54a23011 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1231,11 +1231,10 @@ lame_duck_must_die(const struct tls_session *session, interval_t *wakeup) const struct key_state *lame = &session->key[KS_LAME_DUCK]; if (lame->state >= S_INITIAL) { - const time_t local_now = now; ASSERT(lame->must_die); /* a lame duck key must always have an expiration */ - if (local_now < lame->must_die) + if (now < lame->must_die) { - compute_earliest_wakeup(wakeup, lame->must_die - local_now); + compute_earliest_wakeup(wakeup, lame->must_die - now); return false; } else