From patchwork Mon Aug 10 04:36:51 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1360 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id AP32C81bMV99fQAAIUCqbw for ; Mon, 10 Aug 2020 10:38:05 -0400 Received: from proxy2.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id kPjeC81bMV/YFgAAovjBpQ (envelope-from ) for ; Mon, 10 Aug 2020 10:38:05 -0400 Received: from smtp24.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1d.rsapps.net with LMTP id 0FWrC81bMV+zKAAAfawv4w ; Mon, 10 Aug 2020 10:38:05 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 186dd3f4-db17-11ea-9df8-b8ca3a674470-1-1 Received: from [216.105.38.7] ([216.105.38.7:46272] helo=lists.sourceforge.net) by smtp24.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 23/FD-09184-BCB513F5; Mon, 10 Aug 2020 10:38:04 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vQ-0007Cd-GM; Mon, 10 Aug 2020 14:37:20 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vO-0007C8-9G for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1WIZ+w1MQ17T18Zu28609LPa9EYTJphZr6hQouiRPtA=; b=h0jzDUaKQiyRhwssIqqrQCYkkP 8U+pDC2jAL/E0z7j7uSXibTrhsqOWEzJHgVGzForcJXWQP+fFWPTNlGKNTi/4JlAmJpX+kMkoCXvE cEl7rix5V6uHiTvVwEoGfWpsaGmQWTt54MmjFTK/wG0wG9Leq5utg1aVGF36YLc5NHR8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=1WIZ+w1MQ17T18Zu28609LPa9EYTJphZr6hQouiRPtA=; b=dm2qhyMYI0feSvOzleJk3F1LPd FgmDPaiWUhd1hmJU05VeZ4FPGiQ+txmKDqDBOBevDl7xYJcjpqEibPUR0aQ3OcJqCV4UDuk3p14n+ vOXs3ezNM/jizqMI0s3TnuU36ihy7M58070ymmzg4EZmbhO0xlDgEktMi7oyQfSqxx54=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vL-005kqu-6H for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:17 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vD-000ORq-Vy for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:07 +0200 Received: (nullmailer pid 5883 invoked by uid 10006); Mon, 10 Aug 2020 14:37:07 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:36:51 +0200 Message-Id: <20200810143707.5834-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1k58vL-005kqu-6H Subject: [Openvpn-devel] [PATCH 01/17] Refactor/Reformat tls_pre_decrypt X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox - Extract data packet handling to its own function - Replace two instances of if (x) { code } with if (!x) return; code - Remove extra curly braces that were used for pre C99 code style to be able to declare variables in the middle of a block This patch is easier to review with "ignore white space" as the Tested-By: Vladislav Grishenko diff is then a lot smaller in that case and the changes more obvious. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 791 ++++++++++++++++++++++++---------------------- 1 file changed, 410 insertions(+), 381 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 06dc9f8f..6d146a63 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3166,6 +3166,102 @@ nohard: * to implement a multiplexed TLS channel over the TCP/UDP port. */ +static inline void +handle_data_channel_paket(struct tls_multi *multi, + const struct link_socket_actual *from, + struct buffer *buf, + struct crypto_options **opt, + bool floated, + const uint8_t **ad_start) +{ + struct gc_arena gc = gc_new(); + + uint8_t c = *BPTR(buf); + int op = c >> P_OPCODE_SHIFT; + int key_id = c & P_KEY_ID_MASK; + + /* data channel packet */ + for (int i = 0; i < KEY_SCAN_SIZE; ++i) + { + struct key_state *ks = multi->key_scan[i]; + + /* + * This is the basic test of TLS state compatibility between a local OpenVPN + * instance and its remote peer. + * + * If the test fails, it tells us that we are getting a packet from a source + * which claims reference to a prior negotiated TLS session, but the local + * OpenVPN instance has no memory of such a negotiation. + * + * It almost always occurs on UDP sessions when the passive side of the + * connection is restarted without the active side restarting as well (the + * passive side is the server which only listens for the connections, the + * active side is the client which initiates connections). + */ + if (DECRYPT_KEY_ENABLED(multi, ks) + && key_id == ks->key_id + && (ks->authenticated == KS_AUTH_TRUE) + && (floated || link_socket_actual_match(from, &ks->remote_addr))) + { + if (!ks->crypto_options.key_ctx_bi.initialized) + { + msg(D_MULTI_DROPPED, + "Key %s [%d] not initialized (yet), dropping packet.", + print_link_socket_actual(from, &gc), key_id); + goto error_lite; + } + + /* return appropriate data channel decrypt key in opt */ + *opt = &ks->crypto_options; + if (op == P_DATA_V2) + { + *ad_start = BPTR(buf); + } + ASSERT(buf_advance(buf, 1)); + if (op == P_DATA_V1) + { + *ad_start = BPTR(buf); + } + else if (op == P_DATA_V2) + { + if (buf->len < 4) + { + msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4", + print_link_socket_actual(from, &gc)); + goto error; + } + ASSERT(buf_advance(buf, 3)); + } + + ++ks->n_packets; + ks->n_bytes += buf->len; + dmsg(D_TLS_KEYSELECT, + "TLS: tls_pre_decrypt, key_id=%d, IP=%s", + key_id, print_link_socket_actual(from, &gc)); + gc_free(&gc); + return; + } + } + + msg(D_TLS_ERRORS, + "TLS Error: local/remote TLS keys are out of sync: %s [%d]", + print_link_socket_actual(from, &gc), key_id); + goto error_lite; + + +done: + buf->len = 0; + *opt = NULL; + gc_free(&gc); + return; + +error: + ++multi->n_soft_errors; +error_lite: + tls_clear_error(); + goto done; +} + /* * * When we are in TLS mode, this is the first routine which sees @@ -3199,440 +3295,374 @@ tls_pre_decrypt(struct tls_multi *multi, bool floated, const uint8_t **ad_start) { + + if (buf->len <= 0) + { + buf->len = 0; + *opt = NULL; + return false; + } + struct gc_arena gc = gc_new(); bool ret = false; - if (buf->len > 0) + /* get opcode */ + uint8_t pkt_firstbyte = *BPTR(buf); + int op = pkt_firstbyte >> P_OPCODE_SHIFT; + + if ((op == P_DATA_V1) || (op == P_DATA_V2)) { - int i; - int op; - int key_id; + handle_data_channel_paket(multi, from, buf, opt, floated, ad_start); + return false; + } - /* get opcode and key ID */ + /* get key_id */ + int key_id = pkt_firstbyte & P_KEY_ID_MASK; + + /* control channel packet */ + bool do_burst = false; + bool new_link = false; + struct session_id sid; /* remote session ID */ + + /* verify legal opcode */ + if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE) + { + if (op == P_CONTROL_HARD_RESET_CLIENT_V1 + || op == P_CONTROL_HARD_RESET_SERVER_V1) { - uint8_t c = *BPTR(buf); - op = c >> P_OPCODE_SHIFT; - key_id = c & P_KEY_ID_MASK; + msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1"); } + msg(D_TLS_ERRORS, + "TLS Error: unknown opcode received from %s op=%d", + print_link_socket_actual(from, &gc), op); + goto error; + } - if ((op == P_DATA_V1) || (op == P_DATA_V2)) + /* hard reset ? */ + if (is_hard_reset_method2(op)) + { + /* verify client -> server or server -> client connection */ + if (((op == P_CONTROL_HARD_RESET_CLIENT_V2 + || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server) + || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server)) { - /* data channel packet */ - for (i = 0; i < KEY_SCAN_SIZE; ++i) - { - struct key_state *ks = multi->key_scan[i]; - - /* - * This is the basic test of TLS state compatibility between a local OpenVPN - * instance and its remote peer. - * - * If the test fails, it tells us that we are getting a packet from a source - * which claims reference to a prior negotiated TLS session, but the local - * OpenVPN instance has no memory of such a negotiation. - * - * It almost always occurs on UDP sessions when the passive side of the - * connection is restarted without the active side restarting as well (the - * passive side is the server which only listens for the connections, the - * active side is the client which initiates connections). - */ - if (DECRYPT_KEY_ENABLED(multi, ks) - && key_id == ks->key_id - && (ks->authenticated == KS_AUTH_TRUE) - && (floated || link_socket_actual_match(from, &ks->remote_addr))) - { - if (!ks->crypto_options.key_ctx_bi.initialized) - { - msg(D_MULTI_DROPPED, - "Key %s [%d] not initialized (yet), dropping packet.", - print_link_socket_actual(from, &gc), key_id); - goto error_lite; - } - - /* return appropriate data channel decrypt key in opt */ - *opt = &ks->crypto_options; - if (op == P_DATA_V2) - { - *ad_start = BPTR(buf); - } - ASSERT(buf_advance(buf, 1)); - if (op == P_DATA_V1) - { - *ad_start = BPTR(buf); - } - else if (op == P_DATA_V2) - { - if (buf->len < 4) - { - msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4", - print_link_socket_actual(from, &gc)); - goto error; - } - ASSERT(buf_advance(buf, 3)); - } + msg(D_TLS_ERRORS, + "TLS Error: client->client or server->server connection attempted from %s", + print_link_socket_actual(from, &gc)); + goto error; + } + } - ++ks->n_packets; - ks->n_bytes += buf->len; - dmsg(D_TLS_KEYSELECT, - "TLS: tls_pre_decrypt, key_id=%d, IP=%s", - key_id, print_link_socket_actual(from, &gc)); - gc_free(&gc); - return ret; - } - } + /* + * Authenticate Packet + */ + dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", + packet_opcode_name(op), print_link_socket_actual(from, &gc)); + /* get remote session-id */ + { + struct buffer tmp = *buf; + buf_advance(&tmp, 1); + if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid)) + { msg(D_TLS_ERRORS, - "TLS Error: local/remote TLS keys are out of sync: %s [%d]", - print_link_socket_actual(from, &gc), key_id); - goto error_lite; + "TLS Error: session-id not found in packet from %s", + print_link_socket_actual(from, &gc)); + goto error; } - else /* control channel packet */ - { - bool do_burst = false; - bool new_link = false; - struct session_id sid; /* remote session ID */ + } + + int i; + /* use session ID to match up packet with appropriate tls_session object */ + for (i = 0; i < TM_SIZE; ++i) + { + struct tls_session *session = &multi->session[i]; + struct key_state *ks = &session->key[KS_PRIMARY]; + + dmsg(D_TLS_DEBUG, + "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s", + i, + state_name(ks->state), + session_id_print(&session->session_id, &gc), + session_id_print(&sid, &gc), + print_link_socket_actual(from, &gc), + session_id_print(&ks->session_id_remote, &gc), + print_link_socket_actual(&ks->remote_addr, &gc)); - /* verify legal opcode */ - if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE) + if (session_id_equal(&ks->session_id_remote, &sid)) + /* found a match */ + { + if (i == TM_LAME_DUCK) { - if (op == P_CONTROL_HARD_RESET_CLIENT_V1 - || op == P_CONTROL_HARD_RESET_SERVER_V1) - { - msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1"); - } msg(D_TLS_ERRORS, - "TLS Error: unknown opcode received from %s op=%d", - print_link_socket_actual(from, &gc), op); + "TLS ERROR: received control packet with stale session-id=%s", + session_id_print(&sid, &gc)); goto error; } + dmsg(D_TLS_DEBUG, + "TLS: found match, session[%d], sid=%s", + i, session_id_print(&sid, &gc)); + break; + } + } - /* hard reset ? */ - if (is_hard_reset_method2(op)) - { - /* verify client -> server or server -> client connection */ - if (((op == P_CONTROL_HARD_RESET_CLIENT_V2 - || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server) - || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server)) - { - msg(D_TLS_ERRORS, - "TLS Error: client->client or server->server connection attempted from %s", - print_link_socket_actual(from, &gc)); - goto error; - } - } - - /* - * Authenticate Packet - */ - dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", - packet_opcode_name(op), print_link_socket_actual(from, &gc)); + /* + * Hard reset and session id does not match any session in + * multi->session: Possible initial packet + */ + if (i == TM_SIZE && is_hard_reset_method2(op)) + { + struct tls_session *session = &multi->session[TM_ACTIVE]; + struct key_state *ks = &session->key[KS_PRIMARY]; - /* get remote session-id */ + /* + * If we have no session currently in progress, the initial packet will + * open a new session in TM_ACTIVE rather than TM_UNTRUSTED. + */ + if (!session_id_defined(&ks->session_id_remote)) + { + if (multi->opt.single_session && multi->n_sessions) { - struct buffer tmp = *buf; - buf_advance(&tmp, 1); - if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid)) - { - msg(D_TLS_ERRORS, - "TLS Error: session-id not found in packet from %s", - print_link_socket_actual(from, &gc)); - goto error; - } + msg(D_TLS_ERRORS, + "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]", + print_link_socket_actual(from, &gc)); + goto error; } - /* use session ID to match up packet with appropriate tls_session object */ - for (i = 0; i < TM_SIZE; ++i) +#ifdef ENABLE_MANAGEMENT + if (management) { - struct tls_session *session = &multi->session[i]; - struct key_state *ks = &session->key[KS_PRIMARY]; - - dmsg(D_TLS_DEBUG, - "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s", - i, - state_name(ks->state), - session_id_print(&session->session_id, &gc), - session_id_print(&sid, &gc), - print_link_socket_actual(from, &gc), - session_id_print(&ks->session_id_remote, &gc), - print_link_socket_actual(&ks->remote_addr, &gc)); - - if (session_id_equal(&ks->session_id_remote, &sid)) - /* found a match */ - { - if (i == TM_LAME_DUCK) - { - msg(D_TLS_ERRORS, - "TLS ERROR: received control packet with stale session-id=%s", - session_id_print(&sid, &gc)); - goto error; - } - dmsg(D_TLS_DEBUG, - "TLS: found match, session[%d], sid=%s", - i, session_id_print(&sid, &gc)); - break; - } + management_set_state(management, + OPENVPN_STATE_AUTH, + NULL, + NULL, + NULL, + NULL, + NULL); } +#endif - /* - * Hard reset and session id does not match any session in - * multi->session: Possible initial packet - */ - if (i == TM_SIZE && is_hard_reset_method2(op)) - { - struct tls_session *session = &multi->session[TM_ACTIVE]; - struct key_state *ks = &session->key[KS_PRIMARY]; - - /* - * If we have no session currently in progress, the initial packet will - * open a new session in TM_ACTIVE rather than TM_UNTRUSTED. - */ - if (!session_id_defined(&ks->session_id_remote)) - { - if (multi->opt.single_session && multi->n_sessions) - { - msg(D_TLS_ERRORS, - "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]", - print_link_socket_actual(from, &gc)); - goto error; - } + msg(D_TLS_DEBUG_LOW, + "TLS: Initial packet from %s, sid=%s", + print_link_socket_actual(from, &gc), + session_id_print(&sid, &gc)); -#ifdef ENABLE_MANAGEMENT - if (management) - { - management_set_state(management, - OPENVPN_STATE_AUTH, - NULL, - NULL, - NULL, - NULL, - NULL); - } -#endif + do_burst = true; + new_link = true; + i = TM_ACTIVE; + session->untrusted_addr = *from; + } + } - msg(D_TLS_DEBUG_LOW, - "TLS: Initial packet from %s, sid=%s", - print_link_socket_actual(from, &gc), - session_id_print(&sid, &gc)); + /* + * If we detected new session in the last if block, i has + * changed to TM_ACTIVE, so check the condition again. + */ + if (i == TM_SIZE && is_hard_reset_method2(op)) + { + /* + * No match with existing sessions, + * probably a new session. + */ + struct tls_session *session = &multi->session[TM_UNTRUSTED]; - do_burst = true; - new_link = true; - i = TM_ACTIVE; - session->untrusted_addr = *from; - } - } + /* + * If --single-session, don't allow any hard-reset connection request + * unless it the the first packet of the session. + */ + if (multi->opt.single_session) + { + msg(D_TLS_ERRORS, + "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]", + print_link_socket_actual(from, &gc)); + goto error; + } - /* - * If we detected new session in the last if block, i has - * changed to TM_ACTIVE, so check the condition again. - */ - if (i == TM_SIZE && is_hard_reset_method2(op)) - { - /* - * No match with existing sessions, - * probably a new session. - */ - struct tls_session *session = &multi->session[TM_UNTRUSTED]; - - /* - * If --single-session, don't allow any hard-reset connection request - * unless it the the first packet of the session. - */ - if (multi->opt.single_session) - { - msg(D_TLS_ERRORS, - "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]", - print_link_socket_actual(from, &gc)); - goto error; - } + if (!read_control_auth(buf, &session->tls_wrap, from, + session->opt)) + { + goto error; + } - if (!read_control_auth(buf, &session->tls_wrap, from, - session->opt)) - { - goto error; - } + /* + * New session-initiating control packet is authenticated at this point, + * assuming that the --tls-auth command line option was used. + * + * Without --tls-auth, we leave authentication entirely up to TLS. + */ + msg(D_TLS_DEBUG_LOW, + "TLS: new session incoming connection from %s", + print_link_socket_actual(from, &gc)); - /* - * New session-initiating control packet is authenticated at this point, - * assuming that the --tls-auth command line option was used. - * - * Without --tls-auth, we leave authentication entirely up to TLS. - */ - msg(D_TLS_DEBUG_LOW, - "TLS: new session incoming connection from %s", - print_link_socket_actual(from, &gc)); + new_link = true; + i = TM_UNTRUSTED; + session->untrusted_addr = *from; + } + else + { + struct tls_session *session = &multi->session[i]; + struct key_state *ks = &session->key[KS_PRIMARY]; - new_link = true; - i = TM_UNTRUSTED; - session->untrusted_addr = *from; - } - else + /* + * Packet must belong to an existing session. + */ + if (i != TM_ACTIVE && i != TM_UNTRUSTED) + { + msg(D_TLS_ERRORS, + "TLS Error: Unroutable control packet received from %s (si=%d op=%s)", + print_link_socket_actual(from, &gc), + i, + packet_opcode_name(op)); + goto error; + } + + /* + * Verify remote IP address + */ + if (!new_link && !link_socket_actual_match(&ks->remote_addr, from)) + { + msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s", + print_link_socket_actual(from, &gc)); + goto error; + } + + /* + * Remote is requesting a key renegotiation + */ + if (op == P_CONTROL_SOFT_RESET_V1 + && DECRYPT_KEY_ENABLED(multi, ks)) + { + if (!read_control_auth(buf, &session->tls_wrap, from, + session->opt)) { - struct tls_session *session = &multi->session[i]; - struct key_state *ks = &session->key[KS_PRIMARY]; + goto error; + } - /* - * Packet must belong to an existing session. - */ - if (i != TM_ACTIVE && i != TM_UNTRUSTED) - { - msg(D_TLS_ERRORS, - "TLS Error: Unroutable control packet received from %s (si=%d op=%s)", - print_link_socket_actual(from, &gc), - i, - packet_opcode_name(op)); - goto error; - } + key_state_soft_reset(session); - /* - * Verify remote IP address - */ - if (!new_link && !link_socket_actual_match(&ks->remote_addr, from)) - { - msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s", - print_link_socket_actual(from, &gc)); - goto error; - } + dmsg(D_TLS_DEBUG, + "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", + i, session_id_print(&sid, &gc)); + } + else + { + /* + * Remote responding to our key renegotiation request? + */ + if (op == P_CONTROL_SOFT_RESET_V1) + { + do_burst = true; + } - /* - * Remote is requesting a key renegotiation - */ - if (op == P_CONTROL_SOFT_RESET_V1 - && DECRYPT_KEY_ENABLED(multi, ks)) - { - if (!read_control_auth(buf, &session->tls_wrap, from, - session->opt)) - { - goto error; - } + if (!read_control_auth(buf, &session->tls_wrap, from, + session->opt)) + { + goto error; + } - key_state_soft_reset(session); + dmsg(D_TLS_DEBUG, + "TLS: received control channel packet s#=%d sid=%s", + i, session_id_print(&sid, &gc)); + } + } - dmsg(D_TLS_DEBUG, - "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", - i, session_id_print(&sid, &gc)); - } - else - { - /* - * Remote responding to our key renegotiation request? - */ - if (op == P_CONTROL_SOFT_RESET_V1) - { - do_burst = true; - } + /* + * We have an authenticated control channel packet (if --tls-auth was set). + * Now pass to our reliability layer which deals with + * packet acknowledgements, retransmits, sequencing, etc. + */ + struct tls_session *session = &multi->session[i]; + struct key_state *ks = &session->key[KS_PRIMARY]; - if (!read_control_auth(buf, &session->tls_wrap, from, - session->opt)) - { - goto error; - } + /* Make sure we were initialized and that we're not in an error state */ + ASSERT(ks->state != S_UNDEF); + ASSERT(ks->state != S_ERROR); + ASSERT(session_id_defined(&session->session_id)); - dmsg(D_TLS_DEBUG, - "TLS: received control channel packet s#=%d sid=%s", - i, session_id_print(&sid, &gc)); - } - } + /* Let our caller know we processed a control channel packet */ + ret = true; - /* - * We have an authenticated control channel packet (if --tls-auth was set). - * Now pass to our reliability layer which deals with - * packet acknowledgements, retransmits, sequencing, etc. - */ - { - struct tls_session *session = &multi->session[i]; - struct key_state *ks = &session->key[KS_PRIMARY]; + /* + * Set our remote address and remote session_id + */ + if (new_link) + { + ks->session_id_remote = sid; + ks->remote_addr = *from; + ++multi->n_sessions; + } + else if (!link_socket_actual_match(&ks->remote_addr, from)) + { + msg(D_TLS_ERRORS, + "TLS Error: Existing session control channel packet from unknown IP address: %s", + print_link_socket_actual(from, &gc)); + goto error; + } - /* Make sure we were initialized and that we're not in an error state */ - ASSERT(ks->state != S_UNDEF); - ASSERT(ks->state != S_ERROR); - ASSERT(session_id_defined(&session->session_id)); + /* + * Should we do a retransmit of all unacknowledged packets in + * the send buffer? This improves the start-up efficiency of the + * initial key negotiation after the 2nd peer comes online. + */ + if (do_burst && !session->burst) + { + reliable_schedule_now(ks->send_reliable); + session->burst = true; + } - /* Let our caller know we processed a control channel packet */ - ret = true; + /* Check key_id */ + if (ks->key_id != key_id) + { + msg(D_TLS_ERRORS, + "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", + ks->key_id, key_id, print_key_id(multi, &gc)); + goto error; + } - /* - * Set our remote address and remote session_id - */ - if (new_link) - { - ks->session_id_remote = sid; - ks->remote_addr = *from; - ++multi->n_sessions; - } - else if (!link_socket_actual_match(&ks->remote_addr, from)) - { - msg(D_TLS_ERRORS, - "TLS Error: Existing session control channel packet from unknown IP address: %s", - print_link_socket_actual(from, &gc)); - goto error; - } + /* + * Process incoming ACKs for packets we can now + * delete from reliable send buffer + */ + { + /* buffers all packet IDs to delete from send_reliable */ + struct reliable_ack send_ack; - /* - * Should we do a retransmit of all unacknowledged packets in - * the send buffer? This improves the start-up efficiency of the - * initial key negotiation after the 2nd peer comes online. - */ - if (do_burst && !session->burst) - { - reliable_schedule_now(ks->send_reliable); - session->burst = true; - } + send_ack.len = 0; + if (!reliable_ack_read(&send_ack, buf, &session->session_id)) + { + msg(D_TLS_ERRORS, + "TLS Error: reading acknowledgement record from packet"); + goto error; + } + reliable_send_purge(ks->send_reliable, &send_ack); + } - /* Check key_id */ - if (ks->key_id != key_id) - { - msg(D_TLS_ERRORS, - "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", - ks->key_id, key_id, print_key_id(multi, &gc)); - goto error; - } + if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable)) + { + packet_id_type id; - /* - * Process incoming ACKs for packets we can now - * delete from reliable send buffer - */ + /* Extract the packet ID from the packet */ + if (reliable_ack_read_packet_id(buf, &id)) + { + /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */ + if (reliable_wont_break_sequentiality(ks->rec_reliable, id)) + { + if (reliable_not_replay(ks->rec_reliable, id)) { - /* buffers all packet IDs to delete from send_reliable */ - struct reliable_ack send_ack; - - send_ack.len = 0; - if (!reliable_ack_read(&send_ack, buf, &session->session_id)) + /* Save incoming ciphertext packet to reliable buffer */ + struct buffer *in = reliable_get_buf(ks->rec_reliable); + ASSERT(in); + if (!buf_copy(in, buf)) { - msg(D_TLS_ERRORS, - "TLS Error: reading acknowledgement record from packet"); + msg(D_MULTI_DROPPED, + "Incoming control channel packet too big, dropping."); goto error; } - reliable_send_purge(ks->send_reliable, &send_ack); + reliable_mark_active_incoming(ks->rec_reliable, in, id, op); } - if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable)) - { - packet_id_type id; - - /* Extract the packet ID from the packet */ - if (reliable_ack_read_packet_id(buf, &id)) - { - /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */ - if (reliable_wont_break_sequentiality(ks->rec_reliable, id)) - { - if (reliable_not_replay(ks->rec_reliable, id)) - { - /* Save incoming ciphertext packet to reliable buffer */ - struct buffer *in = reliable_get_buf(ks->rec_reliable); - ASSERT(in); - if (!buf_copy(in, buf)) - { - msg(D_MULTI_DROPPED, - "Incoming control channel packet too big, dropping."); - goto error; - } - reliable_mark_active_incoming(ks->rec_reliable, in, id, op); - } - - /* Process outgoing acknowledgment for packet just received, even if it's a replay */ - reliable_ack_acknowledge_packet_id(ks->rec_ack, id); - } - } - } + /* Process outgoing acknowledgment for packet just received, even if it's a replay */ + reliable_ack_acknowledge_packet_id(ks->rec_ack, id); } } } @@ -3645,7 +3675,6 @@ done: error: ++multi->n_soft_errors; -error_lite: tls_clear_error(); goto done; } From patchwork Mon Aug 10 04:36:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1367 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id iKHWCdVbMV85DQAAIUCqbw for ; Mon, 10 Aug 2020 10:38:13 -0400 Received: from proxy9.mail.ord1c.rsapps.net ([172.28.255.1]) by director11.mail.ord1d.rsapps.net with LMTP id iHB2CdVbMV+ESwAAvGGmqA (envelope-from ) for ; Mon, 10 Aug 2020 10:38:13 -0400 Received: from smtp5.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1c.rsapps.net with LMTP id WIggCdVbMV8MSgAAgxtkuw ; Mon, 10 Aug 2020 10:38:13 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp5.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 1e1afe30-db17-11ea-8980-a4badb0b200d-1-1 Received: from [216.105.38.7] ([216.105.38.7:44874] helo=lists.sourceforge.net) by smtp5.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 2B/47-09162-4DB513F5; Mon, 10 Aug 2020 10:38:12 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vi-0004lv-Db; Mon, 10 Aug 2020 14:37:38 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vV-0004kC-Nd for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/dGKzIoAAXtw7QY9IlnbLXgNIq6wWD7JWioT0XM0j2U=; b=l2FRbsyxU3/Q773+uSgA6dGGgN BLLqFYuVFsyo9oTXd6sh1nRGFgBKxIH4dNcJMNhZdEzyhWPxnZXzPuzRP2H/1G+Ut82N5YdZCYJdg TNJSvT0HEdcS32GFLTFiuLc7zdj7Gru8oxpBQx5L2zgU2Uk8lwXK+WlU46CBcBdoTxuA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=/dGKzIoAAXtw7QY9IlnbLXgNIq6wWD7JWioT0XM0j2U=; b=h2lm4GgHhCqjHUjxHX47PHjwPX G0ccxotaOcO+cjQVWextnBxfkmQyKprxD5NouGjGbpP20DVXvr7Hj7+gzXuugnOdulz9+V/kp7eqO Irf+GZBTy/k1pSzh5jEfVFGGnpzNTt6NMLsaatyIF0ekomjqgebAiNiX/g4IC24BjGvc=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vU-00FaL7-B5 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000ORu-43 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5886 invoked by uid 10006); Mon, 10 Aug 2020 14:37:07 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:36:52 +0200 Message-Id: <20200810143707.5834-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS -0.5 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1k58vU-00FaL7-B5 Subject: [Openvpn-devel] [PATCH 02/17] Cleanup tls_pre_decrypt_lite and tls_pre_encrypt X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Mostly C90 -> C99 cleanups and again immediately instead wrapping function body into if. (Review with ignore whitespace) Signed-off-by: Arne Schwabe Tested-By: Vladislav Grishenko Acked-by: Gert Doering --- src/openvpn/ssl.c | 224 ++++++++++++++++++++++------------------------ 1 file changed, 109 insertions(+), 115 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 6d146a63..2354a017 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3455,7 +3455,7 @@ tls_pre_decrypt(struct tls_multi *multi, } /* - * If we detected new session in the last if block, i has + * If we detected new session in the last if block, variable i has * changed to TM_ACTIVE, so check the condition again. */ if (i == TM_SIZE && is_hard_reset_method2(op)) @@ -3468,7 +3468,7 @@ tls_pre_decrypt(struct tls_multi *multi, /* * If --single-session, don't allow any hard-reset connection request - * unless it the the first packet of the session. + * unless it the first packet of the session. */ if (multi->opt.single_session) { @@ -3696,100 +3696,91 @@ tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, const struct buffer *buf) { - struct gc_arena gc = gc_new(); - bool ret = false; - - if (buf->len > 0) + if (buf->len <= 0) { - int op; - int key_id; + return false; + } + struct gc_arena gc = gc_new(); - /* get opcode and key ID */ - { - uint8_t c = *BPTR(buf); - op = c >> P_OPCODE_SHIFT; - key_id = c & P_KEY_ID_MASK; - } + /* get opcode and key ID */ + uint8_t pkt_firstbyte = *BPTR(buf); + int op = pkt_firstbyte >> P_OPCODE_SHIFT; + int key_id = pkt_firstbyte & P_KEY_ID_MASK; - /* this packet is from an as-yet untrusted source, so - * scrutinize carefully */ + /* this packet is from an as-yet untrusted source, so + * scrutinize carefully */ - if (op != P_CONTROL_HARD_RESET_CLIENT_V2 - && op != P_CONTROL_HARD_RESET_CLIENT_V3) - { - /* - * This can occur due to bogus data or DoS packets. - */ - dmsg(D_TLS_STATE_ERRORS, - "TLS State Error: No TLS state for client %s, opcode=%d", - print_link_socket_actual(from, &gc), - op); - goto error; - } + if (op != P_CONTROL_HARD_RESET_CLIENT_V2 + && op != P_CONTROL_HARD_RESET_CLIENT_V3) + { + /* + * This can occur due to bogus data or DoS packets. + */ + dmsg(D_TLS_STATE_ERRORS, + "TLS State Error: No TLS state for client %s, opcode=%d", + print_link_socket_actual(from, &gc), + op); + goto error; + } - if (key_id != 0) - { - dmsg(D_TLS_STATE_ERRORS, - "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected", - key_id, - print_link_socket_actual(from, &gc)); - goto error; - } + if (key_id != 0) + { + dmsg(D_TLS_STATE_ERRORS, + "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected", + key_id, + print_link_socket_actual(from, &gc)); + goto error; + } - if (buf->len > EXPANDED_SIZE_DYNAMIC(&tas->frame)) - { - dmsg(D_TLS_STATE_ERRORS, - "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected", - buf->len, - print_link_socket_actual(from, &gc), - EXPANDED_SIZE_DYNAMIC(&tas->frame)); - goto error; - } + if (buf->len > EXPANDED_SIZE_DYNAMIC(&tas->frame)) + { + dmsg(D_TLS_STATE_ERRORS, + "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected", + buf->len, + print_link_socket_actual(from, &gc), + EXPANDED_SIZE_DYNAMIC(&tas->frame)); + goto error; + } - { - struct buffer newbuf = clone_buf(buf); - struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap; - bool status; - - /* HMAC test, if --tls-auth was specified */ - status = read_control_auth(&newbuf, &tls_wrap_tmp, from, NULL); - free_buf(&newbuf); - free_buf(&tls_wrap_tmp.tls_crypt_v2_metadata); - if (tls_wrap_tmp.cleanup_key_ctx) - { - free_key_ctx_bi(&tls_wrap_tmp.opt.key_ctx_bi); - } - if (!status) - { - goto error; - } - /* - * At this point, if --tls-auth is being used, we know that - * the packet has passed the HMAC test, but we don't know if - * it is a replay yet. We will attempt to defeat replays - * by not advancing to the S_START state until we - * receive an ACK from our first reply to the client - * that includes an HMAC of our randomly generated 64 bit - * session ID. - * - * On the other hand if --tls-auth is not being used, we - * will proceed to begin the TLS authentication - * handshake with only cursory integrity checks having - * been performed, since we will be leaving the task - * of authentication solely up to TLS. - */ + struct buffer newbuf = clone_buf(buf); + struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap; - ret = true; - } + /* HMAC test, if --tls-auth was specified */ + bool status = read_control_auth(&newbuf, &tls_wrap_tmp, from, NULL); + free_buf(&newbuf); + free_buf(&tls_wrap_tmp.tls_crypt_v2_metadata); + if (tls_wrap_tmp.cleanup_key_ctx) + { + free_key_ctx_bi(&tls_wrap_tmp.opt.key_ctx_bi); + } + if (!status) + { + goto error; } + + /* + * At this point, if --tls-auth is being used, we know that + * the packet has passed the HMAC test, but we don't know if + * it is a replay yet. We will attempt to defeat replays + * by not advancing to the S_START state until we + * receive an ACK from our first reply to the client + * that includes an HMAC of our randomly generated 64 bit + * session ID. + * + * On the other hand if --tls-auth is not being used, we + * will proceed to begin the TLS authentication + * handshake with only cursory integrity checks having + * been performed, since we will be leaving the task + * of authentication solely up to TLS. + */ gc_free(&gc); - return ret; + return true; error: tls_clear_error(); gc_free(&gc); - return ret; + return false; } /* Choose the key with which to encrypt a data packet */ @@ -3798,48 +3789,51 @@ tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt) { multi->save_ks = NULL; - if (buf->len > 0) + if (buf->len <= 0) + { + buf->len = 0; + *opt = NULL; + return; + } + + struct key_state *ks_select = NULL; + for (int i = 0; i < KEY_SCAN_SIZE; ++i) { - int i; - struct key_state *ks_select = NULL; - for (i = 0; i < KEY_SCAN_SIZE; ++i) + struct key_state *ks = multi->key_scan[i]; + if (ks->state >= S_ACTIVE + && (ks->authenticated == KS_AUTH_TRUE) + && ks->crypto_options.key_ctx_bi.initialized + ) { - struct key_state *ks = multi->key_scan[i]; - if (ks->state >= S_ACTIVE - && (ks->authenticated == KS_AUTH_TRUE) - && ks->crypto_options.key_ctx_bi.initialized - ) + if (!ks_select) { - if (!ks_select) - { - ks_select = ks; - } - if (now >= ks->auth_deferred_expire) - { - ks_select = ks; - break; - } + ks_select = ks; + } + if (now >= ks->auth_deferred_expire) + { + ks_select = ks; + break; } } + } - if (ks_select) - { - *opt = &ks_select->crypto_options; - multi->save_ks = ks_select; - dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id); - return; - } - else - { - struct gc_arena gc = gc_new(); - dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s", - print_key_id(multi, &gc)); - gc_free(&gc); - } + if (ks_select) + { + *opt = &ks_select->crypto_options; + multi->save_ks = ks_select; + dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id); + return; } + else + { + struct gc_arena gc = gc_new(); + dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s", + print_key_id(multi, &gc)); + gc_free(&gc); - buf->len = 0; - *opt = NULL; + *opt = NULL; + buf->len = 0; + } } void From patchwork Mon Aug 10 04:36:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1361 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id cNOMG9FbMV8AQwAAIUCqbw for ; Mon, 10 Aug 2020 10:38:09 -0400 Received: from proxy3.mail.ord1c.rsapps.net ([172.28.255.1]) by director11.mail.ord1d.rsapps.net with LMTP id +IRJG9FbMV/MTAAAvGGmqA (envelope-from ) for ; Mon, 10 Aug 2020 10:38:09 -0400 Received: from smtp9.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1c.rsapps.net with LMTP id YAACG9FbMV/SfwAANIxBXg ; Mon, 10 Aug 2020 10:38:09 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 1bbab248-db17-11ea-96ed-0026b95bddb7-1-1 Received: from [216.105.38.7] ([216.105.38.7:59066] helo=lists.sourceforge.net) by smtp9.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 14/99-16801-0DB513F5; Mon, 10 Aug 2020 10:38:08 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vQ-0007FT-2T; Mon, 10 Aug 2020 14:37:20 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vN-0007F7-31 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=UfBMrsK1YcHxCAd2MYwyoysX0uOXWzsPZywu1cpl/6A=; b=RkPONRc2s94uueiECngSlqNjEC i1Zkk5X2pr/vi1VHs77DMWABQ2hmCWHneb7jL4D8pLHxpc9bfyAfpmbD+jPHKgANHd+DQaldYUGeY jgzBPBjb/cdvdyYGwEQtvXRPDmBWU6WmytdVd7C3eUEtAb9fn1YSW5sv+9NKFLljUnRI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UfBMrsK1YcHxCAd2MYwyoysX0uOXWzsPZywu1cpl/6A=; b=hoBIsK4PrrGXOxdMfav7RXTocH nk5UT3daH30Pmg1FFiHBtTsC/b9A/qKVl254/K1Q7rqTGLJ7z64db3GLyKF2IV1BRF2R3RH43cvip +neFZ+Zzef8JB6xkc64w29IQHSsCAqIQ/Px37JsBD/jCwo3m0d32bEPww3b0yo38l4pk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vL-005kqv-5P for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:17 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000ORx-86 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5889 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:36:53 +0200 Message-Id: <20200810143707.5834-4-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1k58vL-005kqv-5P Subject: [Openvpn-devel] [PATCH 03/17] Clean up a number of leftover C89 initialisations in ssl.c X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/ssl.c | 56 +++++++++++++++++------------------------------ 1 file changed, 20 insertions(+), 36 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 2354a017..3bf0dcf8 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -831,10 +831,9 @@ session_index_name(int index) static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc) { - int i; struct buffer out = alloc_buf_gc(256, gc); - for (i = 0; i < KEY_SCAN_SIZE; ++i) + for (int i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = multi->key_scan[i]; buf_printf(&out, " [key#%d state=%s id=%d sid=%s]", i, @@ -1315,8 +1314,6 @@ tls_multi_init_set_options(struct tls_multi *multi, void tls_multi_free(struct tls_multi *multi, bool clear) { - int i; - ASSERT(multi); auth_set_client_reason(multi, NULL); @@ -1339,7 +1336,7 @@ tls_multi_free(struct tls_multi *multi, bool clear) free(multi->remote_ciphername); - for (i = 0; i < TM_SIZE; ++i) + for (int i = 0; i < TM_SIZE; ++i) { tls_session_free(&multi->session[i], false); } @@ -1367,11 +1364,10 @@ tls_multi_free(struct tls_multi *multi, bool clear) static bool swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming) { - const struct key_ctx *ctx; - ASSERT(co); - ctx = (incoming ? &co->key_ctx_bi.decrypt : &co->key_ctx_bi.encrypt); + const struct key_ctx *ctx = (incoming ? &co->key_ctx_bi.decrypt : + &co->key_ctx_bi.encrypt); ASSERT(ctx->hmac); { @@ -1623,25 +1619,21 @@ tls1_P_hash(const md_kt_t *md_kt, int olen) { struct gc_arena gc = gc_new(); - int chunk; - hmac_ctx_t *ctx; - hmac_ctx_t *ctx_tmp; uint8_t A1[MAX_HMAC_KEY_LENGTH]; - unsigned int A1_len; #ifdef ENABLE_DEBUG const int olen_orig = olen; const uint8_t *out_orig = out; #endif - ctx = hmac_ctx_new(); - ctx_tmp = hmac_ctx_new(); + hmac_ctx_t *ctx = hmac_ctx_new(); + hmac_ctx_t *ctx_tmp = hmac_ctx_new(); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc)); - chunk = md_kt_size(md_kt); - A1_len = md_kt_size(md_kt); + int chunk = md_kt_size(md_kt); + unsigned int A1_len = md_kt_size(md_kt); hmac_ctx_init(ctx, sec, sec_len, md_kt); hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); @@ -1711,21 +1703,18 @@ tls1_PRF(const uint8_t *label, struct gc_arena gc = gc_new(); const md_kt_t *md5 = md_kt_get("MD5"); const md_kt_t *sha1 = md_kt_get("SHA1"); - int len,i; - const uint8_t *S1,*S2; - uint8_t *out2; - out2 = (uint8_t *) gc_malloc(olen, false, &gc); + uint8_t *out2 = (uint8_t *) gc_malloc(olen, false, &gc); - len = slen/2; - S1 = sec; - S2 = &(sec[len]); + int len = slen/2; + const uint8_t *S1 = sec; + const uint8_t *S2 = &(sec[len]); len += (slen&1); /* add for odd, make longer */ tls1_P_hash(md5,S1,len,label,label_len,out1,olen); tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); - for (i = 0; iopt->push_peer_info_detail > 0) { struct env_set *es = session->opt->es; - struct env_item *e; struct buffer out = alloc_buf_gc(512*3, &gc); /* push version */ @@ -2271,7 +2259,7 @@ push_peer_info(struct buffer *buf, struct tls_session *session) } /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */ - for (e = es->list; e != NULL; e = e->next) + for (struct env_item *e = es->list; e != NULL; e = e->next) { if (e->string) { @@ -3004,10 +2992,8 @@ tls_multi_process(struct tls_multi *multi, interval_t *wakeup) { struct gc_arena gc = gc_new(); - int i; int active = TLSMP_INACTIVE; bool error = false; - int tas; perf_push(PERF_TLS_MULTI_PROCESS); @@ -3018,7 +3004,7 @@ tls_multi_process(struct tls_multi *multi, * and which has a defined remote IP addr. */ - for (i = 0; i < TM_SIZE; ++i) + for (int i = 0; i < TM_SIZE; ++i) { struct tls_session *session = &multi->session[i]; struct key_state *ks = &session->key[KS_PRIMARY]; @@ -3093,7 +3079,7 @@ tls_multi_process(struct tls_multi *multi, update_time(); - tas = tls_authentication_status(multi, TLS_MULTI_AUTH_STATUS_INTERVAL); + int tas = tls_authentication_status(multi, TLS_MULTI_AUTH_STATUS_INTERVAL); /* * If lame duck session expires, kill it. @@ -3126,7 +3112,7 @@ tls_multi_process(struct tls_multi *multi, */ if (error) { - for (i = 0; i < (int) SIZE(multi->key_scan); ++i) + for (int i = 0; i < (int) SIZE(multi->key_scan); ++i) { if (multi->key_scan[i]->state >= S_ACTIVE) { @@ -3143,7 +3129,7 @@ nohard: const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin); if (throw_level) { - for (i = 0; i < (int) SIZE(multi->key_scan); ++i) + for (int i = 0; i < (int) SIZE(multi->key_scan); ++i) { if (multi->key_scan[i]->state >= throw_level) { @@ -3957,13 +3943,11 @@ void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr) { struct gc_arena gc = gc_new(); - int i, j; - - for (i = 0; i < TM_SIZE; ++i) + for (int i = 0; i < TM_SIZE; ++i) { struct tls_session *session = &multi->session[i]; - for (j = 0; j < KS_SIZE; ++j) + for (int j = 0; j < KS_SIZE; ++j) { struct key_state *ks = &session->key[j]; From patchwork Mon Aug 10 04:36:54 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1368 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id SOjKHdZbMV8AQwAAIUCqbw for ; Mon, 10 Aug 2020 10:38:14 -0400 Received: from proxy8.mail.ord1c.rsapps.net ([172.28.255.1]) by director10.mail.ord1d.rsapps.net with LMTP id 2AzBHdZbMV8TIwAApN4f7A (envelope-from ) for ; Mon, 10 Aug 2020 10:38:14 -0400 Received: from smtp19.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1c.rsapps.net with LMTP id kIAJHdZbMV+qVQAAHz/atg ; Mon, 10 Aug 2020 10:38:14 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 1e476fa6-db17-11ea-a65b-bc305bf036e4-1-1 Received: from [216.105.38.7] ([216.105.38.7:46500] helo=lists.sourceforge.net) by smtp19.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A1/95-02135-5DB513F5; Mon, 10 Aug 2020 10:38:13 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vY-0007F5-Vz; Mon, 10 Aug 2020 14:37:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vV-0007Du-G3 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=A+3ocCz8gd2jC0CgWm/ZFQdbvQ9CdidLC8SLlxbe3CI=; b=ELHau1qIhMaoS9mf0R3o/En70d 3z0eiLNKTN+8/4Kw2+xLz0qxZPzIMzwMBdMxotV7xMBx/NhBpL97q5tCz4JRAGZ/vj32hOzrz/fwr BqU6nSgkvdLdxtJfmBUfyI4tS7b9KIVk2pgwUVQa1SiumCHideY06bqLwXmHxuVYcUFE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=A+3ocCz8gd2jC0CgWm/ZFQdbvQ9CdidLC8SLlxbe3CI=; b=BR2b8Ag6HNcWp3TUM0TCtMWMeG 7QuTIwzEQ6uRlzZFRuzB2hr2V2QQ2BtZXZycMlR8kGV03Lrm3qNq5Te0vUMG1HoPJxTjznSNpRc8p i0PLSYVBpLMw3ShDEWFFwmrRSTyrtGHU+4RitvTrxTtHxc4R0iPK3jgL6xPY/TxWcnyM=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vU-00FaL8-I6 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000OS0-AN for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5892 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:36:54 +0200 Message-Id: <20200810143707.5834-5-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS -0.5 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1k58vU-00FaL8-I6 Subject: [Openvpn-devel] [PATCH 04/17] Minor cleanup in push.c X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/push.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/src/openvpn/push.c b/src/openvpn/push.c index f10021f8..d20b345d 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -330,13 +330,10 @@ incoming_push_message(struct context *c, const struct buffer *buffer) { struct gc_arena gc = gc_new(); unsigned int option_types_found = 0; - int status; msg(D_PUSH, "PUSH: Received control message: '%s'", sanitize_control_message(BSTR(buffer), &gc)); - status = process_incoming_push_msg(c, - buffer, - c->options.pull, + int status = process_incoming_push_msg(c, buffer, c->options.pull, pull_permission_mask(c), &option_types_found); @@ -866,7 +863,7 @@ process_incoming_push_msg(struct context *c, return process_incoming_push_request(c); } else if (honor_received_options - && buf_string_compare_advance(&buf, "PUSH_REPLY")) + && buf_string_compare_advance(&buf, push_reply_cmd)) { return process_incoming_push_reply(c, permission_mask, option_types_found, &buf); From patchwork Mon Aug 10 04:36:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1356 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id YJdcLspbMV8dDQAAIUCqbw for ; Mon, 10 Aug 2020 10:38:02 -0400 Received: from proxy5.mail.ord1c.rsapps.net ([172.28.255.1]) by director7.mail.ord1d.rsapps.net with LMTP id aA5CLspbMV/YFgAAovjBpQ (envelope-from ) for ; Mon, 10 Aug 2020 10:38:02 -0400 Received: from smtp24.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1c.rsapps.net with LMTP id qPv2LcpbMV/QQwAAPBRIyg ; Mon, 10 Aug 2020 10:38:02 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 17c55c88-db17-11ea-9df8-b8ca3a674470-1-1 Received: from [216.105.38.7] ([216.105.38.7:58914] helo=lists.sourceforge.net) by smtp24.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 90/FD-09184-ACB513F5; Mon, 10 Aug 2020 10:38:02 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vQ-0007Fe-4s; Mon, 10 Aug 2020 14:37:20 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vN-0007FE-6y for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pZ46FpqfN2gfsnyiWlMrwCbBWHF1AvmtpSaAqm1tpKs=; b=YYD97myGZhFj+cVqYDIdmio28Z i7Js9nepUrsLofwfv6L9HSfy6Fqwm8H4bkTpKLehBrarQtR8HX6xsPPWoo2TAED0XazSh3x4qDmCc 88g0PwcmgGUlUSYGp17RwKFtuJTHw0kcryWmN1jAlntULlQ6O0q+BcGfItmOTnORavvU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=pZ46FpqfN2gfsnyiWlMrwCbBWHF1AvmtpSaAqm1tpKs=; b=mvJ6CV86kQKxGL+w4TX2Nre0/d lOY3DLZyOIYIATziKIAQsZPvoyPbntom97OAQds5dacReujiQmQEvEVerGal2wYNqEqp+vJtgY+Pt yTl/U6vfo+SQFdhexhX+/6gtMXpqA3Wku/tgYt4Vb+dF+W2yoIGfZR+i48nj+L4N48Ok=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vL-005kqw-6K for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:17 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000OS3-CY for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5895 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:36:55 +0200 Message-Id: <20200810143707.5834-6-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1k58vL-005kqw-6K Subject: [Openvpn-devel] [PATCH 05/17] Remove buf argument from link_socket_set_outgoing_addr X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This was only used in a check that is better suited in the calling functions. This also removes passing the buf argument to link_socket_connection_initiated that also does not use that parameter at all. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 4 ++-- src/openvpn/socket.c | 3 +-- src/openvpn/socket.h | 35 +++++++++++++++-------------------- src/openvpn/ssl.c | 2 +- 4 files changed, 19 insertions(+), 25 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 79c07e46..8a0d63f7 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1177,9 +1177,9 @@ process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, con * * Also, update the persisted version of our packet-id. */ - if (!TLS_MODE(c)) + if (!TLS_MODE(c) && c->c2.buf.len > 0) { - link_socket_set_outgoing_addr(&c->c2.buf, lsi, &c->c2.from, NULL, c->c2.es); + link_socket_set_outgoing_addr(lsi, &c->c2.from, NULL, c->c2.es); } /* reset packet received timer */ diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c index 61463bcd..c486327b 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c @@ -2450,8 +2450,7 @@ ipchange_fmt(const bool include_cmd, struct argv *argv, const struct link_socket } void -link_socket_connection_initiated(const struct buffer *buf, - struct link_socket_info *info, +link_socket_connection_initiated(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es) diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h index 8db9e8ba..7aeae527 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h @@ -435,8 +435,7 @@ in_addr_t link_socket_current_remote(const struct link_socket_info *info); const struct in6_addr *link_socket_current_remote_ipv6 (const struct link_socket_info *info); -void link_socket_connection_initiated(const struct buffer *buf, - struct link_socket_info *info, +void link_socket_connection_initiated(struct link_socket_info *info, const struct link_socket_actual *addr, const char *common_name, struct env_set *es); @@ -984,29 +983,25 @@ link_socket_get_outgoing_addr(struct buffer *buf, } static inline void -link_socket_set_outgoing_addr(const struct buffer *buf, - struct link_socket_info *info, +link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es) { - if (!buf || buf->len > 0) + struct link_socket_addr *lsa = info->lsa; + if ( + /* new or changed address? */ + (!info->connection_established + || !addr_match_proto(&act->dest, &lsa->actual.dest, info->proto) + ) + && + /* address undef or address == remote or --float */ + (info->remote_float + || (!lsa->remote_list || addrlist_match_proto(&act->dest, lsa->remote_list, info->proto)) + ) + ) { - struct link_socket_addr *lsa = info->lsa; - if ( - /* new or changed address? */ - (!info->connection_established - || !addr_match_proto(&act->dest, &lsa->actual.dest, info->proto) - ) - && - /* address undef or address == remote or --float */ - (info->remote_float - || (!lsa->remote_list || addrlist_match_proto(&act->dest, lsa->remote_list, info->proto)) - ) - ) - { - link_socket_connection_initiated(buf, info, act, common_name, es); - } + link_socket_connection_initiated(info, act, common_name, es); } } diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 3bf0dcf8..a43ee985 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2762,7 +2762,7 @@ tls_process(struct tls_multi *multi, INCR_SUCCESS; /* Set outgoing address for data channel packets */ - link_socket_set_outgoing_addr(NULL, to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es); + link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es); /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */ flush_payload_buffer(ks); From patchwork Mon Aug 10 04:36:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1370 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id YAsPHN1bMV+KQQAAIUCqbw for ; Mon, 10 Aug 2020 10:38:21 -0400 Received: from proxy17.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id wDnbG91bMV+TXwAAfY0hYg (envelope-from ) for ; Mon, 10 Aug 2020 10:38:21 -0400 Received: from smtp4.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.ord1d.rsapps.net with LMTP id eAloG91bMV9IXwAAWC7mWg ; Mon, 10 Aug 2020 10:38:21 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp4.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 22a35e02-db17-11ea-b84f-0024e87f2f2c-1-1 Received: from [216.105.38.7] ([216.105.38.7:46616] helo=lists.sourceforge.net) by smtp4.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C2/12-30428-CDB513F5; Mon, 10 Aug 2020 10:38:20 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vf-0007HE-M5; Mon, 10 Aug 2020 14:37:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vW-0007EE-EE for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=66dleLHQqOo7b4/SrvqMQZcbDRYeSe3ZEXOcAz+5T7k=; b=TEKvhxd8jchiuLq+PorOp2Sd/b 0hDDhdR9VB0nNAVM5m0hnH/NfhJbAT19hdHVOdP7K1TEi0I4tlDj/DOEWxrt0JxrBAwSkSHHQ+d+f Ug6g1zgSrzo1FQIm/Js70USW/jeM8hExWE38+uv1dmn4DcCTwAmygN4FsZ9G25mohYtE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=66dleLHQqOo7b4/SrvqMQZcbDRYeSe3ZEXOcAz+5T7k=; b=QAvJRZXzYW1m2FUIFRIH0yicpF aRnnKh0KkO5IxWP843octLh0LkWhFe9kM4sj803IM15g1e1AnJl1mec9Vhw5gqaNplbZV8wEQyCGL bo77CTTBq8FEmMXaJdqStoJu6qnIXolklS0SuRhFuST2rih0hMgvuiFICVv1bVdKMCtY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vU-00FaLY-N7 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:26 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000OS6-Ei for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5898 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:36:56 +0200 Message-Id: <20200810143707.5834-7-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1k58vU-00FaLY-N7 Subject: [Openvpn-devel] [PATCH 06/17] Remove a number of check/do_work wrapper calls from coarse_timers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This indirection is not very helpful in understanding the code flow. Moving the check to process_coarse_timers and remove the check function and rename the do_work function to the drop the do_work as it does no longer serve a purpose Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 166 +++++++++++------------------------------- src/openvpn/forward.h | 12 +-- src/openvpn/status.c | 13 ---- src/openvpn/status.h | 2 - 4 files changed, 47 insertions(+), 146 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 8a0d63f7..7ac878f9 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -138,84 +138,6 @@ check_incoming_control_channel(struct context *c) #endif } -/* - * Should we add routes? - */ -static inline void -check_add_routes(struct context *c) -{ - void check_add_routes_dowork(struct context *c); - - if (event_timeout_trigger(&c->c2.route_wakeup, &c->c2.timeval, ETT_DEFAULT)) - { - check_add_routes_dowork(c); - } -} - -/* - * Should we exit due to inactivity timeout? - */ -static inline void -check_inactivity_timeout(struct context *c) -{ - void check_inactivity_timeout_dowork(struct context *c); - - if (c->options.inactivity_timeout - && event_timeout_trigger(&c->c2.inactivity_interval, &c->c2.timeval, ETT_DEFAULT)) - { - check_inactivity_timeout_dowork(c); - } -} - -#if P2MP - -static inline void -check_server_poll_timeout(struct context *c) -{ - void check_server_poll_timeout_dowork(struct context *c); - - if (c->options.ce.connect_timeout - && event_timeout_trigger(&c->c2.server_poll_interval, &c->c2.timeval, ETT_DEFAULT)) - { - check_server_poll_timeout_dowork(c); - } -} - -/* - * Scheduled exit? - */ -static inline void -check_scheduled_exit(struct context *c) -{ - void check_scheduled_exit_dowork(struct context *c); - - if (event_timeout_defined(&c->c2.scheduled_exit)) - { - if (event_timeout_trigger(&c->c2.scheduled_exit, &c->c2.timeval, ETT_DEFAULT)) - { - check_scheduled_exit_dowork(c); - } - } -} -#endif /* if P2MP */ - -/* - * Should we write timer-triggered status file. - */ -static inline void -check_status_file(struct context *c) -{ - void check_status_file_dowork(struct context *c); - - if (c->c1.status_output) - { - if (status_trigger_tv(c->c1.status_output, &c->c2.timeval)) - { - check_status_file_dowork(c); - } - } -} - #ifdef ENABLE_FRAGMENT /* * Should we deliver a datagram fragment to remote? @@ -232,37 +154,6 @@ check_fragment(struct context *c) } #endif -#if P2MP - -/* - * see if we should send a push_request in response to --pull - */ -static inline void -check_push_request(struct context *c) -{ - void check_push_request_dowork(struct context *c); - - if (event_timeout_trigger(&c->c2.push_request_interval, &c->c2.timeval, ETT_DEFAULT)) - { - check_push_request_dowork(c); - } -} - -#endif - -/* - * Should we persist our anti-replay packet ID state to disk? - */ -static inline void -check_packet_id_persist_flush(struct context *c) -{ - if (packet_id_persist_enabled(&c->c1.pid_persist) - && event_timeout_trigger(&c->c2.packet_id_persist_interval, &c->c2.timeval, ETT_DEFAULT)) - { - packet_id_persist_save(&c->c1.pid_persist); - } -} - /* * Set our wakeup to 0 seconds, so we will be rescheduled * immediately. @@ -410,7 +301,7 @@ check_incoming_control_channel_dowork(struct context *c) * Periodically resend PUSH_REQUEST until PUSH message received */ void -check_push_request_dowork(struct context *c) +check_push_request(struct context *c) { send_push_request(c); @@ -521,7 +412,7 @@ check_add_routes_action(struct context *c, const bool errors) } void -check_add_routes_dowork(struct context *c) +check_add_routes(struct context *c) { if (test_routes(c->c1.route_list, c->c1.tuntap)) { @@ -559,7 +450,7 @@ check_add_routes_dowork(struct context *c) * Should we exit due to inactivity timeout? */ void -check_inactivity_timeout_dowork(struct context *c) +check_inactivity_timeout(struct context *c) { msg(M_INFO, "Inactivity timeout (--inactive), exiting"); register_signal(c, SIGTERM, "inactive"); @@ -575,7 +466,7 @@ get_server_poll_remaining_time(struct event_timeout *server_poll_timeout) #if P2MP void -check_server_poll_timeout_dowork(struct context *c) +check_server_poll_timeout(struct context *c) { event_timeout_reset(&c->c2.server_poll_interval); ASSERT(c->c2.tls_multi); @@ -605,7 +496,7 @@ schedule_exit(struct context *c, const int n_seconds, const int signal) * Scheduled exit? */ void -check_scheduled_exit_dowork(struct context *c) +check_scheduled_exit(struct context *c) { register_signal(c, c->c2.scheduled_exit_signal, "delayed-exit"); } @@ -616,7 +507,7 @@ check_scheduled_exit_dowork(struct context *c) * Should we write timer-triggered status file. */ void -check_status_file_dowork(struct context *c) +check_status_file(struct context *c) { if (c->c1.status_output) { @@ -761,10 +652,18 @@ process_coarse_timers(struct context *c) { /* flush current packet-id to file once per 60 * seconds if --replay-persist was specified */ - check_packet_id_persist_flush(c); + if (packet_id_persist_enabled(&c->c1.pid_persist) + && event_timeout_trigger(&c->c2.packet_id_persist_interval, &c->c2.timeval, ETT_DEFAULT)) + { + packet_id_persist_save(&c->c1.pid_persist); + } - /* should we update status file? */ - check_status_file(c); + /* Should we write timer-triggered status file */ + if (c->c1.status_output + && event_timeout_trigger(&c->c1.status_output->et, &c->c2.timeval, ETT_DEFAULT)) + { + check_status_file(c); + } /* process connection establishment items */ if (event_timeout_trigger(&c->c2.wait_for_connect, &c->c2.timeval, ETT_DEFAULT)) @@ -772,8 +671,11 @@ process_coarse_timers(struct context *c) check_connection_established(c); } #if P2MP - /* see if we should send a push_request in response to --pull */ - check_push_request(c); + /* see if we should send a push_request (option --pull) */ + if (event_timeout_trigger(&c->c2.push_request_interval, &c->c2.timeval, ETT_DEFAULT)) + { + check_push_request(c); + } #endif #ifdef PLUGIN_PF @@ -781,10 +683,18 @@ process_coarse_timers(struct context *c) #endif /* process --route options */ - check_add_routes(c); + if (event_timeout_trigger(&c->c2.route_wakeup, &c->c2.timeval, ETT_DEFAULT)) + { + check_add_routes(c); + } /* possibly exit due to --inactive */ - check_inactivity_timeout(c); + if (c->options.inactivity_timeout + && event_timeout_trigger(&c->c2.inactivity_interval, &c->c2.timeval, ETT_DEFAULT)) + { + check_inactivity_timeout(c); + } + if (c->sig->signal_received) { return; @@ -800,13 +710,19 @@ process_coarse_timers(struct context *c) #if P2MP if (c->c2.tls_multi) { - check_server_poll_timeout(c); + if (c->options.ce.connect_timeout + && event_timeout_trigger(&c->c2.server_poll_interval, &c->c2.timeval, ETT_DEFAULT)) + { + check_server_poll_timeout(c); + } if (c->sig->signal_received) { return; } - - check_scheduled_exit(c); + if (event_timeout_trigger(&c->c2.scheduled_exit, &c->c2.timeval, ETT_DEFAULT)) + { + check_scheduled_exit(c); + } if (c->sig->signal_received) { return; diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 635e84ae..114a24e7 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -77,9 +77,9 @@ void check_tls_errors_nco(struct context *c); #if P2MP void check_incoming_control_channel_dowork(struct context *c); -void check_scheduled_exit_dowork(struct context *c); +void check_scheduled_exit(struct context *c); -void check_push_request_dowork(struct context *c); +void check_push_request(struct context *c); #endif /* P2MP */ @@ -90,13 +90,13 @@ void check_fragment_dowork(struct context *c); void check_connection_established(struct context *c); -void check_add_routes_dowork(struct context *c); +void check_add_routes(struct context *c); -void check_inactivity_timeout_dowork(struct context *c); +void check_inactivity_timeout(struct context *c); -void check_server_poll_timeout_dowork(struct context *c); +void check_server_poll_timeout(struct context *c); -void check_status_file_dowork(struct context *c); +void check_status_file(struct context *c); void io_wait_dowork(struct context *c, const unsigned int flags); diff --git a/src/openvpn/status.c b/src/openvpn/status.c index 91391d1a..e8dcf7cd 100644 --- a/src/openvpn/status.c +++ b/src/openvpn/status.c @@ -146,19 +146,6 @@ status_trigger(struct status_output *so) } } -bool -status_trigger_tv(struct status_output *so, struct timeval *tv) -{ - if (so) - { - return event_timeout_trigger(&so->et, tv, ETT_DEFAULT); - } - else - { - return false; - } -} - void status_reset(struct status_output *so) { diff --git a/src/openvpn/status.h b/src/openvpn/status.h index 2a399d7d..66e5bc53 100644 --- a/src/openvpn/status.h +++ b/src/openvpn/status.h @@ -69,8 +69,6 @@ struct status_output *status_open(const char *filename, const struct virtual_output *vout, const unsigned int flags); -bool status_trigger_tv(struct status_output *so, struct timeval *tv); - bool status_trigger(struct status_output *so); void status_reset(struct status_output *so); From patchwork Mon Aug 10 04:36:57 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1364 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id UKizF9JbMV85DQAAIUCqbw for ; Mon, 10 Aug 2020 10:38:10 -0400 Received: from proxy12.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id WLqUF9JbMV8sJQAAIasKDg (envelope-from ) for ; Mon, 10 Aug 2020 10:38:10 -0400 Received: from smtp8.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.ord1d.rsapps.net with LMTP id ULwJF9JbMV8+IwAA7PHxkg ; Mon, 10 Aug 2020 10:38:10 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp8.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 1bedd5c4-db17-11ea-965a-782bcb03304b-1-1 Received: from [216.105.38.7] ([216.105.38.7:44772] helo=lists.sourceforge.net) by smtp8.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F5/AB-06145-1DB513F5; Mon, 10 Aug 2020 10:38:09 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vU-0004jD-2A; Mon, 10 Aug 2020 14:37:24 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vS-0004il-A5 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=om65lIgm+AGJ9K54MjZUs+9vTWwRhO6OYTv9irbwBd8=; b=HRxjufUDFdTw8p3ETBGv4jcB6O P82nNe4CQPKU5Ow5E21i6FysyzRbwXD0bVt134x6w4md0+hduVrchoSBp1bP7sQsxwtvSBYvzAptJ zO3sFe5mMtrc3dcah65Ufi0QQ39tthbv6w8URdN6FfIapdzPIR42efH6+94BjYYfLu5U=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=om65lIgm+AGJ9K54MjZUs+9vTWwRhO6OYTv9irbwBd8=; b=Arh2R+ISb8RARFa1upZ0y+zI3J FKwla8LBczjPwMtZHD1H9/kNJX91r+vW1XIr/ylUs2ydwKRDluBDb2Rl3sk4QQNF+e64knjgvLs+Q cU3Sf7yZsNRlkV8vqgzqO3EEI3SJYwNIUZmTk/WNyoWSrq/U3hCM6E1tRdSHCvy5qVWE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vR-002taU-B6 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:22 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000OS9-H8 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5901 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:36:57 +0200 Message-Id: <20200810143707.5834-8-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1k58vR-002taU-B6 Subject: [Openvpn-devel] [PATCH 07/17] Split pf_check_reload check and check timer in process_coarse_timers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This move the timer check into process_coarse_timers and makes in line with the other functions. The the pf.enabled check is also moved process_coarse_timers to make it more clear this only is used if pf is enabled at all. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 6 +++++- src/openvpn/pf.c | 4 +--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 7ac878f9..27a40b0c 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -679,7 +679,11 @@ process_coarse_timers(struct context *c) #endif #ifdef PLUGIN_PF - pf_check_reload(c); + if (c->c2.pf.enabled + && event_timeout_trigger(&c->c2.pf.reload, &c->c2.timeval, ETT_DEFAULT)) + { + pf_check_reload(c); + } #endif /* process --route options */ diff --git a/src/openvpn/pf.c b/src/openvpn/pf.c index b8da26e4..f9bbfb50 100644 --- a/src/openvpn/pf.c +++ b/src/openvpn/pf.c @@ -547,9 +547,7 @@ pf_check_reload(struct context *c) const int wakeup_transition = 60; bool reloaded = false; - if (c->c2.pf.enabled - && c->c2.pf.filename - && event_timeout_trigger(&c->c2.pf.reload, &c->c2.timeval, ETT_DEFAULT)) + if (c->c2.pf.filename) { platform_stat_t s; if (!platform_stat(c->c2.pf.filename, &s)) From patchwork Mon Aug 10 04:36:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1358 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id cJzNKsxbMV99fQAAIUCqbw for ; Mon, 10 Aug 2020 10:38:04 -0400 Received: from proxy2.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id 2LaqKsxbMV/dFgAAalYnBA (envelope-from ) for ; Mon, 10 Aug 2020 10:38:04 -0400 Received: from smtp9.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1d.rsapps.net with LMTP id sLN7KsxbMV9OJwAAfawv4w ; Mon, 10 Aug 2020 10:38:04 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 185a5482-db17-11ea-96ed-0026b95bddb7-1-1 Received: from [216.105.38.7] ([216.105.38.7:46270] helo=lists.sourceforge.net) by smtp9.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6C/79-16801-BCB513F5; Mon, 10 Aug 2020 10:38:03 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vO-0007CJ-E3; Mon, 10 Aug 2020 14:37:18 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vN-0007By-1L for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=PzNt1RMeHcgQkwjoemM4Jh7GKHvVH35NA0LYFTtR5KE=; b=CXXcV7LKcemEIjrYY++/GGsw0N xwyAvERD3tYPWnurX1nuKBNwXARybuqcj0Nj6tiMLW9EbY47YCaNbEg9q4LRQv82z68yJBmZ3bDzv AS4W2rxkxtFYVIOluetBWHyDdT0WqZjLhvhZE+qojIomrl1Og8x9lGcKlGrMIUokz1Yo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=PzNt1RMeHcgQkwjoemM4Jh7GKHvVH35NA0LYFTtR5KE=; b=jrstVhv04FH2uMqHEqjujahmK2 zdyJP+OLpAGaCWRzcGie5GlBSIXsgI0WDtxDPiRmrGjSplZzeZ6TaNk0lpWDzZCD/rQ5rjaKyl4zK DLtUopnjvnEElr72LnOL42uJwTUFy4qpaWnbKw8udRkkoOt4mL5gMMt1bwpB6WpN8xBI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vL-005kqx-5k for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:16 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000OSC-Iz for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5904 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:36:58 +0200 Message-Id: <20200810143707.5834-9-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1k58vL-005kqx-5k Subject: [Openvpn-devel] [PATCH 08/17] Rename check_ping_restart_dowork to trigger_ping_timeout_signal X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Rename the function to better capture its actual function. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/ping.c | 6 +----- src/openvpn/ping.h | 13 +++++++------ 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/src/openvpn/ping.c b/src/openvpn/ping.c index 358d54b0..aa176fdb 100644 --- a/src/openvpn/ping.c +++ b/src/openvpn/ping.c @@ -46,12 +46,8 @@ const uint8_t ping_string[] = { 0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48 }; -/* - * Should we exit or restart due to ping (or other authenticated packet) - * not received in n seconds? - */ void -check_ping_restart_dowork(struct context *c) +trigger_ping_timeout_signal(struct context *c) { struct gc_arena gc = gc_new(); switch (c->options.ping_rec_timeout_action) diff --git a/src/openvpn/ping.h b/src/openvpn/ping.h index b51f082a..6feaa878 100644 --- a/src/openvpn/ping.h +++ b/src/openvpn/ping.h @@ -43,7 +43,12 @@ is_ping_msg(const struct buffer *buf) return buf_string_match(buf, ping_string, PING_STRING_SIZE); } -void check_ping_restart_dowork(struct context *c); +/** + * Trigger the correct signal on a --ping timeout + * depending if --ping-exit is set (SIGTERM) or not + * (SIGUSR1) + */ +void trigger_ping_timeout_signal(struct context *c); void check_ping_send_dowork(struct context *c); @@ -54,8 +59,6 @@ void check_ping_send_dowork(struct context *c); static inline void check_ping_restart(struct context *c) { - void check_ping_restart_dowork(struct context *c); - if (c->options.ping_rec_timeout && event_timeout_trigger(&c->c2.ping_rec_interval, &c->c2.timeval, @@ -63,7 +66,7 @@ check_ping_restart(struct context *c) || link_socket_actual_defined(&c->c1.link_socket_addr.actual)) ? ETT_DEFAULT : 15)) { - check_ping_restart_dowork(c); + trigger_ping_timeout_signal(c); } } @@ -73,8 +76,6 @@ check_ping_restart(struct context *c) static inline void check_ping_send(struct context *c) { - void check_ping_send_dowork(struct context *c); - if (c->options.ping_send_timeout && event_timeout_trigger(&c->c2.ping_send_interval, &c->c2.timeval, From patchwork Mon Aug 10 04:36:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1366 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id WIZyLNRbMV99fQAAIUCqbw for ; Mon, 10 Aug 2020 10:38:12 -0400 Received: from proxy1.mail.ord1c.rsapps.net ([172.28.255.1]) by director11.mail.ord1d.rsapps.net with LMTP id QBIJLNRbMV+LTAAAvGGmqA (envelope-from ) for ; Mon, 10 Aug 2020 10:38:12 -0400 Received: from smtp10.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1c.rsapps.net with LMTP id aLC2K9RbMV/ZYQAA2VeTtA ; Mon, 10 Aug 2020 10:38:12 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp10.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 1dce955e-db17-11ea-8b0a-0026b954785f-1-1 Received: from [216.105.38.7] ([216.105.38.7:44862] helo=lists.sourceforge.net) by smtp10.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 04/26-32602-4DB513F5; Mon, 10 Aug 2020 10:38:12 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vi-0004mR-LE; Mon, 10 Aug 2020 14:37:38 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vV-0004kO-S4 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=PwHHI3NM3n7Y0gZvoQAmCSmmiJPzMt6BieH7nOykhyQ=; b=cft6WUvc3MswVqNqVkpcA1WLXn G/R4M8rEyH6DObq7vtwHhLwfHJ5PA/YyqLE4l7I4gBEMMPYzZEMvIflb2gFnDQnBIP7OqjfYFrWkg KtcN74Jh7/9+AnNf0dwOBIBk7nms1T2O+kSrMOKHzaTzFVH3jV8lhZjTQN9NJtDoqfnM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=PwHHI3NM3n7Y0gZvoQAmCSmmiJPzMt6BieH7nOykhyQ=; b=R6YoQhKvgbAuD5iooKYN6Mj2hQ 6arg0RNPFnAuRB7rXhXlBolyluktwU+1eVigxDsGUdvXYogMtHGtZYaodtkH8pm8Wa8rqNdQ16NBM YIJ9NoOFw18r75TxQh3/i7NWJbOodwETVin/A/gRYjLIOMg4qIbYNNsgH6EUXW+I1wzE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vU-00FaLA-NU for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000OSF-LW for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5907 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:36:59 +0200 Message-Id: <20200810143707.5834-10-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1k58vU-00FaLA-NU Subject: [Openvpn-devel] [PATCH 09/17] Eliminate check_fragment function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This another of the small wrapper function where the check is better move into the calling function. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 25 +++++-------------------- src/openvpn/forward.h | 2 +- 2 files changed, 6 insertions(+), 21 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 27a40b0c..866dd138 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -129,8 +129,6 @@ static inline void check_incoming_control_channel(struct context *c) { #if P2MP - void check_incoming_control_channel_dowork(struct context *c); - if (tls_test_payload_len(c->c2.tls_multi) > 0) { check_incoming_control_channel_dowork(c); @@ -138,22 +136,6 @@ check_incoming_control_channel(struct context *c) #endif } -#ifdef ENABLE_FRAGMENT -/* - * Should we deliver a datagram fragment to remote? - */ -static inline void -check_fragment(struct context *c) -{ - void check_fragment_dowork(struct context *c); - - if (c->c2.fragment) - { - check_fragment_dowork(c); - } -} -#endif - /* * Set our wakeup to 0 seconds, so we will be rescheduled * immediately. @@ -520,7 +502,7 @@ check_status_file(struct context *c) * Should we deliver a datagram fragment to remote? */ void -check_fragment_dowork(struct context *c) +check_fragment(struct context *c) { struct link_socket_info *lsi = get_link_socket_info(c); @@ -1903,7 +1885,10 @@ pre_select(struct context *c) #ifdef ENABLE_FRAGMENT /* Should we deliver a datagram fragment to remote? */ - check_fragment(c); + if (c->c2.fragment) + { + check_fragment(c); + } #endif /* Update random component of timeout */ diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 114a24e7..e8b8900a 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -84,7 +84,7 @@ void check_push_request(struct context *c); #endif /* P2MP */ #ifdef ENABLE_FRAGMENT -void check_fragment_dowork(struct context *c); +void check_fragment(struct context *c); #endif /* ENABLE_FRAGMENT */ From patchwork Mon Aug 10 04:37:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1369 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id AJcRNNxbMV9QVAAAIUCqbw for ; Mon, 10 Aug 2020 10:38:20 -0400 Received: from proxy5.mail.ord1c.rsapps.net ([172.28.255.1]) by director9.mail.ord1d.rsapps.net with LMTP id GPzBM9xbMV8PFwAAalYnBA (envelope-from ) for ; Mon, 10 Aug 2020 10:38:20 -0400 Received: from smtp15.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1c.rsapps.net with LMTP id 0ClpM9xbMV8tRAAAPBRIyg ; Mon, 10 Aug 2020 10:38:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp15.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 22a0b378-db17-11ea-bcdf-bc305bf03694-1-1 Received: from [216.105.38.7] ([216.105.38.7:59290] helo=lists.sourceforge.net) by smtp15.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 06/23-29166-CDB513F5; Mon, 10 Aug 2020 10:38:20 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vf-0007I1-Ne; Mon, 10 Aug 2020 14:37:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vS-0007GC-Ia for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=li+sGKvk/G75cNU9oLzo6W0To9uIBLes3/kvcl8a5bo=; b=Fgl9iZ92CA7pgxiUcd19AfmrFP TOEcxMUJ0/hajF5beE/nDrDaLwfkGa2zIWgEGFAv1l3xX+25SVqo0EMxTWp/kThlrENZXhGMn7iyh BIqtDcP2CxfGIhoxq0K/+8q60epl6Ogdk38W/xxcAqWPxYlXUN0MWqF2kOvnjkplpDeI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=li+sGKvk/G75cNU9oLzo6W0To9uIBLes3/kvcl8a5bo=; b=DhPxdHN6kPBInwIifh/+bVoNhx i9ZByTnm7f+9+YoQharYuhmfByX5hOF4sdf+/+lzt4nT42Kd/B7fp8dMxXpGNshfpN5EuUId8BsXP B2ZTDIJCSiCijcVgcGUz94eeQeB9MXpTKbQByRMN039N3R/PXLukVNLpDGePKZkvPmVc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vR-002taV-Bh for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:22 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000OSI-NS for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5910 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:37:00 +0200 Message-Id: <20200810143707.5834-11-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1k58vR-002taV-Bh Subject: [Openvpn-devel] [PATCH 10/17] Eliminate check_incoming_control_channel wrapper function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Move the check that calls this function into the calling function. Also eliminate the if (len) check in the check_incoming_control_channel_dowork function as it is only called if len is > 0 anyway and replace it with a ASSERT. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 117 +++++++++++++++++++----------------------- src/openvpn/forward.h | 2 +- 2 files changed, 55 insertions(+), 64 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 866dd138..0e05b08b 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -121,21 +121,6 @@ check_tls_errors(struct context *c) } } -/* - * Check for possible incoming configuration - * messages on the control channel. - */ -static inline void -check_incoming_control_channel(struct context *c) -{ -#if P2MP - if (tls_test_payload_len(c->c2.tls_multi) > 0) - { - check_incoming_control_channel_dowork(c); - } -#endif -} - /* * Set our wakeup to 0 seconds, so we will be rescheduled * immediately. @@ -222,61 +207,61 @@ check_tls_errors_nco(struct context *c) * messages on the control channel. */ void -check_incoming_control_channel_dowork(struct context *c) +check_incoming_control_channel(struct context *c) { - const int len = tls_test_payload_len(c->c2.tls_multi); - if (len) + int len = tls_test_payload_len(c->c2.tls_multi); + /* We should only be called with len >0 */ + ASSERT(len > 0); + + struct gc_arena gc = gc_new(); + struct buffer buf = alloc_buf_gc(len, &gc); + if (tls_rec_payload(c->c2.tls_multi, &buf)) { - struct gc_arena gc = gc_new(); - struct buffer buf = alloc_buf_gc(len, &gc); - if (tls_rec_payload(c->c2.tls_multi, &buf)) - { - /* force null termination of message */ - buf_null_terminate(&buf); + /* force null termination of message */ + buf_null_terminate(&buf); - /* enforce character class restrictions */ - string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0); + /* enforce character class restrictions */ + string_mod(BSTR(&buf), CC_PRINT, CC_CRLF, 0); - if (buf_string_match_head_str(&buf, "AUTH_FAILED")) - { - receive_auth_failed(c, &buf); - } - else if (buf_string_match_head_str(&buf, "PUSH_")) - { - incoming_push_message(c, &buf); - } - else if (buf_string_match_head_str(&buf, "RESTART")) - { - server_pushed_signal(c, &buf, true, 7); - } - else if (buf_string_match_head_str(&buf, "HALT")) - { - server_pushed_signal(c, &buf, false, 4); - } - else if (buf_string_match_head_str(&buf, "INFO_PRE")) - { - server_pushed_info(c, &buf, 8); - } - else if (buf_string_match_head_str(&buf, "INFO")) - { - server_pushed_info(c, &buf, 4); - } - else if (buf_string_match_head_str(&buf, "CR_RESPONSE")) - { - receive_cr_response(c, &buf); - } - else - { - msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf)); - } + if (buf_string_match_head_str(&buf, "AUTH_FAILED")) + { + receive_auth_failed(c, &buf); + } + else if (buf_string_match_head_str(&buf, "PUSH_")) + { + incoming_push_message(c, &buf); + } + else if (buf_string_match_head_str(&buf, "RESTART")) + { + server_pushed_signal(c, &buf, true, 7); + } + else if (buf_string_match_head_str(&buf, "HALT")) + { + server_pushed_signal(c, &buf, false, 4); + } + else if (buf_string_match_head_str(&buf, "INFO_PRE")) + { + server_pushed_info(c, &buf, 8); + } + else if (buf_string_match_head_str(&buf, "INFO")) + { + server_pushed_info(c, &buf, 4); + } + else if (buf_string_match_head_str(&buf, "CR_RESPONSE")) + { + receive_cr_response(c, &buf); } else { - msg(D_PUSH_ERRORS, "WARNING: Receive control message failed"); + msg(D_PUSH_ERRORS, "WARNING: Received unknown control message: %s", BSTR(&buf)); } - - gc_free(&gc); } + else + { + msg(D_PUSH_ERRORS, "WARNING: Receive control message failed"); + } + + gc_free(&gc); } /* @@ -1877,8 +1862,14 @@ pre_select(struct context *c) return; } - /* check for incoming configuration info on the control channel */ - check_incoming_control_channel(c); +#if P2MP + /* check for incoming control messages on the control channel like + * push request/reply, or authentication failure and 2FA messages */ + if (tls_test_payload_len(c->c2.tls_multi) > 0) + { + check_incoming_control_channel(c); + } +#endif /* Should we send an OCC message? */ check_send_occ_msg(c); diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index e8b8900a..27e7fde7 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -75,7 +75,7 @@ void check_tls_errors_co(struct context *c); void check_tls_errors_nco(struct context *c); #if P2MP -void check_incoming_control_channel_dowork(struct context *c); +void check_incoming_control_channel(struct context *c); void check_scheduled_exit(struct context *c); From patchwork Mon Aug 10 04:37:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1357 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id wJrCGcxbMV99fQAAIUCqbw for ; Mon, 10 Aug 2020 10:38:04 -0400 Received: from proxy18.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id YAWfGcxbMV+iFgAAalYnBA (envelope-from ) for ; Mon, 10 Aug 2020 10:38:04 -0400 Received: from smtp22.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.ord1d.rsapps.net with LMTP id cJVPGcxbMV/8HAAATCaURg ; Mon, 10 Aug 2020 10:38:04 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp22.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 18b9769c-db17-11ea-b7a9-a0369f0d84d2-1-1 Received: from [216.105.38.7] ([216.105.38.7:46290] helo=lists.sourceforge.net) by smtp22.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 92/84-18262-BCB513F5; Mon, 10 Aug 2020 10:38:03 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vb-0007Fq-3I; Mon, 10 Aug 2020 14:37:31 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vV-0007E2-O1 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=yl9MhMLMFYPt0oqfZhrbdH/oRL/A/XQeaKHDAIbZu34=; b=iE9r3ub/KDTmbAY9USc/tScVS7 9sv2VAywVi83lhjGYGhJjS7eISwpCbMsaakGmgGE2m1u8uFBA83544klA68YOMjlCKmUB87afzPx6 a9HCRtA067/47NgpCuFTj4didGdEqNrH1LkrAYvEB19RkRuIFlGHdjo1UlGnsJv4qN/w=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=yl9MhMLMFYPt0oqfZhrbdH/oRL/A/XQeaKHDAIbZu34=; b=MbhXx6J1cVdeU2VEf6PSSczGl7 zZglX6IFitV7tMlMqZe1SvFtWdaekVqzsWIpcmSXxcKG/vV1a5IR1q+AQpExk/lPM0C6EY4vRNTHO l3MnsERBLCVyW7Op1PaHpSHpzcrm/4T/Qvw75kY8GgDKxDJR1+DA+Jm/9zPMoahCpyKg=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vU-00FaLB-Me for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000OSL-Pv for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5913 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:37:01 +0200 Message-Id: <20200810143707.5834-12-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1k58vU-00FaLB-Me Subject: [Openvpn-devel] [PATCH 11/17] Eliminate check_tls wrapper function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Move check into caller. Remove two in function forward declarations that are not needed from check_tls_errors. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 27 ++++++--------------------- src/openvpn/forward.h | 2 +- 2 files changed, 7 insertions(+), 22 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 0e05b08b..36e5c175 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -77,20 +77,6 @@ show_wait_status(struct context *c) #endif /* ifdef ENABLE_DEBUG */ -/* - * Does TLS session need service? - */ -static inline void -check_tls(struct context *c) -{ - void check_tls_dowork(struct context *c); - - if (c->c2.tls_multi) - { - check_tls_dowork(c); - } -} - /* * TLS errors are fatal in TCP mode. * Also check for --tls-exit trigger. @@ -98,10 +84,6 @@ check_tls(struct context *c) static inline void check_tls_errors(struct context *c) { - void check_tls_errors_co(struct context *c); - - void check_tls_errors_nco(struct context *c); - if (c->c2.tls_multi && c->c2.tls_exit_signal) { if (link_socket_connection_oriented(c->c2.link_socket)) @@ -157,7 +139,7 @@ context_reschedule_sec(struct context *c, int sec) * */ void -check_tls_dowork(struct context *c) +check_tls(struct context *c) { interval_t wakeup = BIG_TIMEOUT; @@ -1852,8 +1834,11 @@ pre_select(struct context *c) return; } - /* Does TLS need service? */ - check_tls(c); + /* If tls is enabled, do tls control channel packet processing. */ + if (c->c2.tls_multi) + { + check_tls(c); + } /* In certain cases, TLS errors will require a restart */ check_tls_errors(c); diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h index 27e7fde7..a8b19f69 100644 --- a/src/openvpn/forward.h +++ b/src/openvpn/forward.h @@ -68,7 +68,7 @@ extern counter_type link_read_bytes_global; extern counter_type link_write_bytes_global; -void check_tls_dowork(struct context *c); +void check_tls(struct context *c); void check_tls_errors_co(struct context *c); From patchwork Mon Aug 10 04:37:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1371 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id uInMGd9bMV99fQAAIUCqbw for ; Mon, 10 Aug 2020 10:38:23 -0400 Received: from proxy4.mail.ord1c.rsapps.net ([172.28.255.1]) by director7.mail.ord1d.rsapps.net with LMTP id WOOWGd9bMV/EFwAAovjBpQ (envelope-from ) for ; Mon, 10 Aug 2020 10:38:23 -0400 Received: from smtp12.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1c.rsapps.net with LMTP id qN5kGd9bMV/LTAAAjcXvpA ; Mon, 10 Aug 2020 10:38:23 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 24334e12-db17-11ea-a962-bc305bf03e5c-1-1 Received: from [216.105.38.7] ([216.105.38.7:45070] helo=lists.sourceforge.net) by smtp12.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D4/17-11833-FDB513F5; Mon, 10 Aug 2020 10:38:23 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vi-0004mA-HT; Mon, 10 Aug 2020 14:37:38 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vV-0004kD-O1 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HePELt26BnndOmD4GgzoXiPIq5VwE9T0MMazz1+TSDw=; b=GVJmTeVc/IAF408+J28lN4Fu6r nUA7nXobeXwY6i+h1yux+d1FRQvjnWGe62X6pGCI5YNxMhLopxX37uv7dcqX1jo0i9MD4wWCGz89Y o7vdl41BjHHpYpukBFN+Kd/Y1ilZuCadCF3jZijf7rHATGsjit/B9/kXS5u0Wro5GiJo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=HePELt26BnndOmD4GgzoXiPIq5VwE9T0MMazz1+TSDw=; b=le+XrzOm4HN/WwEESY5DjXStZS sDwTyf5i6O0JCXbffAcUYxYdkcYAIbkF/OCF0XkOkF22nhj4r1Igwz3D7pR6dT32liGCufeQB5EYR VkOzxsjKlAs+4z/Y25HYlRK85HFihJBJRoY2flaTjGm6G+1NDCgco2inNaRZ6F8+Gnug=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vU-00FaLZ-N7 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000OSO-SU for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5916 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:37:02 +0200 Message-Id: <20200810143707.5834-13-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1k58vU-00FaLZ-N7 Subject: [Openvpn-devel] [PATCH 12/17] Merge check_coarse_timers and check_coarse_timers_dowork X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This simplifies the code a bit and makes the code flow clearer as it only adds three curly brackets in check_coarse_timers. Merging the resulting check_coarse_timers_dowork function into the caller and called function as with the other function does not make sense here since it does more than similar function. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/forward.c | 22 +++++++--------------- 1 file changed, 7 insertions(+), 15 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 36e5c175..7ed8d0d7 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -700,8 +700,14 @@ process_coarse_timers(struct context *c) } static void -check_coarse_timers_dowork(struct context *c) +check_coarse_timers(struct context *c) { + if (now < c->c2.coarse_timer_wakeup) + { + context_reschedule_sec(c, c->c2.coarse_timer_wakeup - now); + return; + } + const struct timeval save = c->c2.timeval; c->c2.timeval.tv_sec = BIG_TIMEOUT; c->c2.timeval.tv_usec = 0; @@ -717,20 +723,6 @@ check_coarse_timers_dowork(struct context *c) } } -static inline void -check_coarse_timers(struct context *c) -{ - const time_t local_now = now; - if (local_now >= c->c2.coarse_timer_wakeup) - { - check_coarse_timers_dowork(c); - } - else - { - context_reschedule_sec(c, c->c2.coarse_timer_wakeup - local_now); - } -} - static void check_timeout_random_component_dowork(struct context *c) { From patchwork Mon Aug 10 04:37:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1359 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 6CchOMxbMV99fQAAIUCqbw for ; Mon, 10 Aug 2020 10:38:04 -0400 Received: from proxy4.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id m2T3N8xbMV/xIwAApN4f7A (envelope-from ) for ; Mon, 10 Aug 2020 10:38:04 -0400 Received: from smtp14.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1d.rsapps.net with LMTP id iISyNsxbMV84EgAAiYrejw ; Mon, 10 Aug 2020 10:38:04 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 18b19e40-db17-11ea-8634-bc305bf032e0-1-1 Received: from [216.105.38.7] ([216.105.38.7:46288] helo=lists.sourceforge.net) by smtp14.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 38/39-10877-BCB513F5; Mon, 10 Aug 2020 10:38:03 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vX-0007Ee-Sv; Mon, 10 Aug 2020 14:37:27 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vS-0007DH-H6 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=NdY/+0oQgQ4PsMVYtGGYnF5f22B5j1/YZ2myMl4p1CA=; b=jXKwVd4zZmG5GweowQiPGYNcpv /zAHXEWXpfT1yBR4RGKfCZeVO1UfZtriHL+aU7vjGeIK07o6rDwad1gEvEYbYdXFsJiaDmArEviyB epEDG/Y2Wns2VQa8UMdFsqftUOn0WqeIgHixRVdtsihmlzDJi5VHDCQ2sOhihmGv+aYE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NdY/+0oQgQ4PsMVYtGGYnF5f22B5j1/YZ2myMl4p1CA=; b=TZmTD94pn141u+9RaZWkgUSWet QzoE2sBAY/ZMly/9L73MtJFhApBPuqAMvlNXjRD/6V1mqJgY9MXJDjLFcj6Ay+CEYDs2KUQiP+CPl iPhPOmXeXIUbKPl4YpqwrFOA+pTQy81Argz0j8VYnVnt6L8sD2xnNP7APLltsAtMUevk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vR-002taW-Bu for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:22 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vE-000OSR-Ug for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:08 +0200 Received: (nullmailer pid 5919 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:37:03 +0200 Message-Id: <20200810143707.5834-14-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1k58vR-002taW-Bu Subject: [Openvpn-devel] [PATCH 13/17] Remove S_OP_NORMAL key state. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The key state is virtually identical S_ACTIVE and we only did the state state transition form S_ACTIVE to S_OP_NORMAL at the point where we normally would have timed out the TLS negotiation. This is a very useful to have and indeed we never that information. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/ssl.c | 24 +++++++----------------- src/openvpn/ssl_common.h | 9 ++++----- 2 files changed, 11 insertions(+), 22 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index a43ee985..0d54c9ed 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -755,9 +755,6 @@ state_name(int state) case S_ACTIVE: return "S_ACTIVE"; - case S_NORMAL_OP: - return "S_NORMAL_OP"; - case S_ERROR: return "S_ERROR"; @@ -2705,21 +2702,12 @@ tls_process(struct tls_multi *multi, } /* Are we timed out on receive? */ - if (now >= ks->must_negotiate) + if (now >= ks->must_negotiate && ks->state < S_ACTIVE) { - if (ks->state < S_ACTIVE) - { - msg(D_TLS_ERRORS, - "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)", - session->opt->handshake_window); - goto error; - } - else /* assume that ks->state == S_ACTIVE */ - { - dmsg(D_TLS_DEBUG_MED, "STATE S_NORMAL_OP"); - ks->state = S_NORMAL_OP; - ks->must_negotiate = 0; - } + msg(D_TLS_ERRORS, + "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)", + session->opt->handshake_window); + goto error; } /* Wait for Initial Handshake ACK */ @@ -2759,6 +2747,8 @@ tls_process(struct tls_multi *multi, } state_change = true; ks->state = S_ACTIVE; + /* Cancel negotiation timeout */ + ks->must_negotiate = 0; INCR_SUCCESS; /* Set outgoing address for data channel packets */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 9f777750..96897e48 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -64,8 +64,7 @@ * material. * -# \c S_GOT_KEY, have received remote part of \c key_source2 random * material. - * -# \c S_ACTIVE, normal operation during remaining handshake window. - * -# \c S_NORMAL_OP, normal operation. + * -# \c S_ACTIVE, normal operation * * Servers follow the same order, except for \c S_SENT_KEY and \c * S_GOT_KEY being reversed, because the server first receives the @@ -94,9 +93,9 @@ * immediately after negotiation has * completed while still within the * handshake window. */ -/* ready to exchange data channel packets */ -#define S_NORMAL_OP 7 /**< Normal operational \c key_state - * state. */ +/* Note that earlier versions also had a S_OP_NORMAL state that was + * virtually identical with S_ACTIVE and the code still assumes everything + * >= S_ACTIVE to be fully operational */ /** @} name Control channel negotiation states */ /** @} addtogroup control_processor */ From patchwork Mon Aug 10 04:37:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1354 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id QD/bJ8lbMV+DXAAAIUCqbw for ; Mon, 10 Aug 2020 10:38:01 -0400 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id IFK2J8lbMV8sGAAAovjBpQ (envelope-from ) for ; Mon, 10 Aug 2020 10:38:01 -0400 Received: from smtp6.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTP id 2O90J8lbMV+kagAA8Zzt7w ; Mon, 10 Aug 2020 10:38:01 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 16a9caf0-db17-11ea-94a7-bc305bf03f9c-1-1 Received: from [216.105.38.7] ([216.105.38.7:44538] helo=lists.sourceforge.net) by smtp6.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D7/6F-24119-8CB513F5; Mon, 10 Aug 2020 10:38:00 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vT-0004j0-Un; Mon, 10 Aug 2020 14:37:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vN-0004iU-CK for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9B5fZLwyaJidWAn8xcMhQaGe+oxAATf6eQIgJf4nAzM=; b=k5hvhhOFuhQ4xKwDC3y0GeX1mM QeNTxI7pSKbdAKI9xd5cGrQPDquyTajgaCU/Mq7WN9zbHocdSwm+v/bN4x96Pzh66iwPIW8Y1nLkH dBwyqDAQ39TRo51tWf86aiweQVdOM3i2RP//QTtwtdzGul6VpabEm8Zor1c5xcbLA3uQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9B5fZLwyaJidWAn8xcMhQaGe+oxAATf6eQIgJf4nAzM=; b=XjwGHg6m5XpSZk3dwTpjB6EL+g unRbuYN7zSNnq2qoNYNF7Xt6KVyzFTl9jjJTg+u7TdpwMxLzJfQlR4jc92R4Kp/RJVZSqD3giyHeT KOnYIn7cP5KX7twe6WJVLlHwB6/OoLZa8L0oYj890YVLLmm+J8sddlKDqg71+c2mo7GE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vM-005kr0-5y for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:17 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vF-000OSU-0G for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:09 +0200 Received: (nullmailer pid 5922 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:37:04 +0200 Message-Id: <20200810143707.5834-15-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1k58vM-005kr0-5y Subject: [Openvpn-devel] [PATCH v2 14/17] Skip existing interfaces on opening the first available utun on macOS X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This avoids the error messages trying to open already used utuns. Signed-off-by: Arne Schwabe Acked-by: Lev Stipakov --- src/openvpn/tun.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index cc7b65cf..30454454 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -3021,8 +3021,15 @@ open_darwin_utun(const char *dev, const char *dev_type, const char *dev_node, st /* try to open first available utun device if no specific utun is requested */ if (utunnum == -1) { - for (utunnum = 0; utunnum<255; utunnum++) + for (utunnum = 0; utunnum < 255; utunnum++) { + char ifname[20]; + /* if the interface exists silently skip it */ + ASSERT(snprintf(ifname, sizeof(ifname), "utun%d", utunnum) > 0); + if (if_nametoindex(ifname)) + { + continue; + } fd = utun_open_helper(ctlInfo, utunnum); /* Break if the fd is valid, * or if early initialization failed (-2) */ From patchwork Mon Aug 10 04:37:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1365 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 6KviKdJbMV9QVAAAIUCqbw for ; Mon, 10 Aug 2020 10:38:10 -0400 Received: from proxy9.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id GF3ZKdJbMV+0IwAApN4f7A (envelope-from ) for ; Mon, 10 Aug 2020 10:38:10 -0400 Received: from smtp19.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1d.rsapps.net with LMTP id UB5eKdJbMV8FfQAA7h+8OQ ; Mon, 10 Aug 2020 10:38:10 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 1c52f198-db17-11ea-a65b-bc305bf036e4-1-1 Received: from [216.105.38.7] ([216.105.38.7:59104] helo=lists.sourceforge.net) by smtp19.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 64/85-02135-1DB513F5; Mon, 10 Aug 2020 10:38:10 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vg-0007IJ-6m; Mon, 10 Aug 2020 14:37:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vV-0007Gn-L2 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=hCcNIVrcrCarQxTRBJFumv8BqV6eS7haxOHzn1YNqSg=; b=c9uD0Lcy1J7ldJ2FkzNsneUeiJ 5Jp+d6NgZ4wt8mLigLjf5FB/O4YH9rpXMHLdZruSBlyIxiHy5udmA4HZOgkpqbgXDF8lKAkdNEVqQ jL5NOLaeStgvCokZXAcE4/c+HtXYCz2RYV39PBHt3o+xlbL6+6+pUxbibPHzbLR28L9o=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=hCcNIVrcrCarQxTRBJFumv8BqV6eS7haxOHzn1YNqSg=; b=Xn1u4fOYEsyfHkiRiCE7XA5e9Z WepKddUYjAQv8lrp+iYqtgkXqksrWzRN5aYNn5cb0pV7iU0y/Vru7h32jF0723mAybzGMNxbMUbnp W/lhnTAUQy/of0VoogYV7tcIwWSIMr5ANCXyDtFezQO5UElDuN8mW10EFt9yf4LA+z3k=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vU-002tal-Am for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:25 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vF-000OSX-4s for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:09 +0200 Received: (nullmailer pid 5925 invoked by uid 10006); Mon, 10 Aug 2020 14:37:08 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:37:05 +0200 Message-Id: <20200810143707.5834-16-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1k58vU-002tal-Am Subject: [Openvpn-devel] [PATCH 15/17] Refactor key_state_export_keying_material functions X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This refactors the common code between mbed SSL and OpenSSL into export_user_keying_material and also prepares the backend functions to export more than one key. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 32 +++++++++++++++++++++++++++++++- src/openvpn/ssl_backend.h | 14 ++++++++++++-- src/openvpn/ssl_mbedtls.c | 22 ++++++++-------------- src/openvpn/ssl_openssl.c | 34 ++++++++++++++++------------------ 4 files changed, 67 insertions(+), 35 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 0d54c9ed..774ba7ed 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2412,6 +2412,36 @@ error: return false; } +static void +export_user_keying_material(struct key_state_ssl *ssl, + struct tls_session *session) +{ + if (session->opt->ekm_size > 0) + { + unsigned int size = session->opt->ekm_size; + struct gc_arena gc = gc_new(); + + unsigned const char *ekm; + if ((ekm = key_state_export_keying_material(ssl, session, + EXPORT_KEY_USER, &gc))) + { + unsigned int len = (size * 2) + 2; + + const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc); + setenv_str(session->opt->es, "exported_keying_material", key); + + dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", + __func__, key); + } + else + { + msg(M_WARN, "WARNING: Export keying material failed!"); + setenv_del(session->opt->es, "exported_keying_material"); + } + gc_free(&gc); + } +} + /** * Handle reading key data, peer-info, username/password, OCC * from the TLS control channel (cleartext). @@ -2541,7 +2571,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio if ((ks->authenticated > KS_AUTH_FALSE) && plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL)) { - key_state_export_keying_material(&ks->ks_ssl, session); + export_user_keying_material(&ks->ks_ssl, session); if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS) { diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 7f52ab1e..40e9106a 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -389,6 +389,12 @@ void key_state_ssl_free(struct key_state_ssl *ks_ssl); void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline); + +/* defines the different RFC5705 that are used in OpenVPN */ +enum export_key_identifier { + EXPORT_KEY_USER +}; + /** * Keying Material Exporters [RFC 5705] allows additional keying material to be * derived from existing TLS channel. This exported keying material can then be @@ -396,11 +402,15 @@ void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, * * @param ks_ssl The SSL channel's state info * @param session The session associated with the given key_state + * @param key The key to export. + * @returns The exported key material */ -void +unsigned const char* key_state_export_keying_material(struct key_state_ssl *ks_ssl, - struct tls_session *session) __attribute__((nonnull)); + struct tls_session *session, + enum export_key_identifier export_key, + struct gc_arena *gc) __attribute__((nonnull)); /**************************************************************************/ /** @addtogroup control_tls diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 9c874788..4a6fad5f 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -231,24 +231,18 @@ mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms, } #endif /* HAVE_EXPORT_KEYING_MATERIAL */ -void +const unsigned char * key_state_export_keying_material(struct key_state_ssl *ssl, - struct tls_session *session) + struct tls_session *session, + enum export_key_identifier key_id, + struct gc_arena *gc) { - if (ssl->exported_key_material) + if (key_id == EXPORT_KEY_USER) { - unsigned int size = session->opt->ekm_size; - struct gc_arena gc = gc_new(); - unsigned int len = (size * 2) + 2; - - const char *key = format_hex_ex(ssl->exported_key_material, - size, len, 0, NULL, &gc); - setenv_str(session->opt->es, "exported_keying_material", key); - - dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", - __func__, key); - gc_free(&gc); + return ssl->exported_key_material; } + + return NULL; } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 5ba74402..5cc03cf0 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -158,35 +158,33 @@ tls_ctx_initialised(struct tls_root_ctx *ctx) return NULL != ctx->ctx; } -void +unsigned const char * key_state_export_keying_material(struct key_state_ssl *ssl, - struct tls_session *session) + struct tls_session *session, + enum export_key_identifier key_id, + struct gc_arena *gc) + { - if (session->opt->ekm_size > 0) + if (key_id == EXPORT_KEY_USER) { unsigned int size = session->opt->ekm_size; - struct gc_arena gc = gc_new(); - unsigned char *ekm = (unsigned char *) gc_malloc(size, true, &gc); + unsigned char *ekm = (unsigned char *) gc_malloc(size, true, gc); if (SSL_export_keying_material(ssl->ssl, ekm, size, - session->opt->ekm_label, - session->opt->ekm_label_size, - NULL, 0, 0)) + session->opt->ekm_label, + session->opt->ekm_label_size, + NULL, 0, 0)) { - unsigned int len = (size * 2) + 2; - - const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc); - setenv_str(session->opt->es, "exported_keying_material", key); - - dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", - __func__, key); + return ekm; } else { - msg(M_WARN, "WARNING: Export keying material failed!"); - setenv_del(session->opt->es, "exported_keying_material"); + return NULL; } - gc_free(&gc); + } + else + { + return NULL; } } From patchwork Mon Aug 10 04:37:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1362 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SKBeMdFbMV/IBgAAIUCqbw for ; Mon, 10 Aug 2020 10:38:09 -0400 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id GD8xMdFbMV+UXwAAfY0hYg (envelope-from ) for ; Mon, 10 Aug 2020 10:38:09 -0400 Received: from smtp5.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTP id OLTsMNFbMV+WIwAAtEH5vw ; Mon, 10 Aug 2020 10:38:09 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp5.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 1b7188f2-db17-11ea-8980-a4badb0b200d-1-1 Received: from [216.105.38.7] ([216.105.38.7:59054] helo=lists.sourceforge.net) by smtp5.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5B/37-09162-0DB513F5; Mon, 10 Aug 2020 10:38:08 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vf-0007Hn-KF; Mon, 10 Aug 2020 14:37:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vS-0007G4-G6 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2Ob1qihhX3rzSidDFZW0aNS+fAzIouO8fo1rMRnDbr0=; b=KsZjMJHmO4E95x9islJccf/ZxF BjbybPlv/7Y1l0p6qNMYWqU/T/HYYI95Ut6Lt07AL8Y5wpU9ErXnPHuFicLD3Z+dt8ddsJiXXR0RM 2gcBOJqBoH1+VcsgauxcqvMD9ejVBzkr6ln1Acm/fHQr9+4Ra80RLMPgiFlH0sNs1kGU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=2Ob1qihhX3rzSidDFZW0aNS+fAzIouO8fo1rMRnDbr0=; b=ep7eJLYHpDSnRhg92TCeFkmNJW ebuUQ+r+UVZXPvhpxSv54ddCk6MDuOqFVKJMtf/+CSzJXk9Rkaxq2N2jQ+t1NoKMqSkqwgO9rh2ZL Ofmu6y+AFr91I5QN19x6wYnwG3gcGmZA6gfvwMoFaJTcPcJBExVTloTQcKV3fgf+PR/8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vR-002taX-Cd for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:22 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vF-000OSa-7k for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:09 +0200 Received: (nullmailer pid 5928 invoked by uid 10006); Mon, 10 Aug 2020 14:37:09 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:37:06 +0200 Message-Id: <20200810143707.5834-17-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1k58vR-002taX-Cd Subject: [Openvpn-devel] [PATCH 16/17] Move parsing IV_PROTO to separate function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/multi.c | 49 +++++++++++++++++++++++++++------------------ 1 file changed, 30 insertions(+), 19 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index b7b7e32f..13738180 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1771,6 +1771,28 @@ multi_client_connect_setenv(struct multi_context *m, gc_free(&gc); } +/** + * Extracts the IV_PROTO variable and returns its value or 0 + * if it cannot be extracted. + * + */ +static unsigned int +extract_iv_proto(const char *peer_info) +{ + + const char *optstr = peer_info ? strstr(peer_info, "IV_PROTO=") : NULL; + if (optstr) + { + int proto = 0; + int r = sscanf(optstr, "IV_PROTO=%d", &proto); + if (r == 1 && proto > 0) + { + return proto; + } + } + return 0; +} + /** * Calculates the options that depend on the client capabilities * based on local options and available peer info @@ -1780,30 +1802,19 @@ multi_client_connect_setenv(struct multi_context *m, static bool multi_client_set_protocol_options(struct context *c) { - - const char *optstr = NULL; struct tls_multi *tls_multi = c->c2.tls_multi; const char *const peer_info = tls_multi->peer_info; struct options *o = &c->options; - /* Send peer-id if client supports it */ - optstr = peer_info ? strstr(peer_info, "IV_PROTO=") : NULL; - if (optstr) - { - int proto = 0; - int r = sscanf(optstr, "IV_PROTO=%d", &proto); - if (r == 1) - { - if (proto & IV_PROTO_DATA_V2) - { - tls_multi->use_peer_id = true; - } - if (proto & IV_PROTO_REQUEST_PUSH) - { - c->c2.push_request_received = true; - } - } + unsigned int proto = extract_iv_proto(peer_info); + if (proto & IV_PROTO_DATA_V2) + { + tls_multi->use_peer_id = true; + } + if (proto & IV_PROTO_REQUEST_PUSH) + { + c->c2.push_request_received = true; } /* Select cipher if client supports Negotiable Crypto Parameters */ From patchwork Mon Aug 10 04:37:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1363 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id cEJ8OtFbMV85DQAAIUCqbw for ; Mon, 10 Aug 2020 10:38:10 -0400 Received: from proxy1.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id kPxqOtFbMV/yIwAApN4f7A (envelope-from ) for ; Mon, 10 Aug 2020 10:38:09 -0400 Received: from smtp36.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1d.rsapps.net with LMTP id wMe8ONFbMV/oUAAAasrz9Q ; Mon, 10 Aug 2020 10:38:10 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp36.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 1ba9c7d0-db17-11ea-86c0-5452006630bd-1-1 Received: from [216.105.38.7] ([216.105.38.7:59060] helo=lists.sourceforge.net) by smtp36.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 9E/13-21371-0DB513F5; Mon, 10 Aug 2020 10:38:09 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1k58vQ-0007Fo-7O; Mon, 10 Aug 2020 14:37:20 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k58vO-0007FK-9H for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=APeeOIwRzsfDuzBgoq3A+DtzcldDZdVLkSAVR/b4kN0=; b=gRcqWtyTRPGCUvvXrd5rqkjyaM AmGHANPVEg2eoRSz6Og9NzNZ2C1Bo6fSqC29YtN5+/OdlCYO/zrn8fL5KQKQ9jLWiQ59HySGvbb9p myEgGRre803EjpzEKCayYIbxko0sbSRpvFpVaMSZV8hrzbF0dh3iG+hPwn/Wwvx9DqUY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=APeeOIwRzsfDuzBgoq3A+DtzcldDZdVLkSAVR/b4kN0=; b=ijFuB4XAGTLlrqDTAvQHRKImAU TkUoc4iGBIRBYNULCxyDBIRCUV/ZeEVCueesx+BwatvtxjPNIUptBMFd/mP78CN25MRKsmlIsKjuh 2FH78v9RQouFhUWpkFCN9qDoDXSi7iYPZ0B0wLrBH5n1I9kNQAPdvhh1gxebHbTBqCvI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1k58vM-005kr1-6Y for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 14:37:17 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k58vF-000OSd-A0 for openvpn-devel@lists.sourceforge.net; Mon, 10 Aug 2020 16:37:09 +0200 Received: (nullmailer pid 5931 invoked by uid 10006); Mon, 10 Aug 2020 14:37:09 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Aug 2020 16:37:07 +0200 Message-Id: <20200810143707.5834-18-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200810143707.5834-1-arne@rfc2549.org> References: <20200810143707.5834-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1k58vM-005kr1-6Y Subject: [Openvpn-devel] [PATCH 17/17] Move openvpn specific key expansion into its own function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This moves the OpenVPN specific PRF into its own function also simplifies the code a bit by passing tls_session directly instead of 5 of its fields. Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 109 +++++++++++++++++++++++++++++----------------- 1 file changed, 69 insertions(+), 40 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 774ba7ed..91743862 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1765,27 +1765,38 @@ openvpn_PRF(const uint8_t *secret, VALGRIND_MAKE_READABLE((void *)output, output_len); } -/* - * Using source entropy from local and remote hosts, mix into - * master key. - */ -static bool -generate_key_expansion(struct key_ctx_bi *key, - const struct key_type *key_type, - const struct key_source2 *key_src, - const struct session_id *client_sid, - const struct session_id *server_sid, - bool server) +static void +init_key_contexts(struct key_ctx_bi *key, + const struct key_type *key_type, + bool server, + struct key2 *key2) +{ + /* Initialize OpenSSL key contexts */ + int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL; + init_key_ctx_bi(key, key2, key_direction, key_type, "Data Channel"); + + /* Initialize implicit IVs */ + key_ctx_update_implicit_iv(&key->encrypt, (*key2).keys[(int)server].hmac, + MAX_HMAC_KEY_LENGTH); + key_ctx_update_implicit_iv(&key->decrypt, (*key2).keys[1-(int)server].hmac, + MAX_HMAC_KEY_LENGTH); + +} + + +static struct key2 +generate_key_expansion_oepnvpn_prf(const struct tls_session *session) { + uint8_t master[48] = { 0 }; - struct key2 key2 = { 0 }; - bool ret = false; - if (key->initialized) - { - msg(D_TLS_ERRORS, "TLS Error: key already initialized"); - goto exit; - } + const struct key_state *ks = &session->key[KS_PRIMARY]; + const struct key_source2 *key_src = ks->key_src; + + const struct session_id *client_sid = session->opt->server ? + &ks->session_id_remote : &session->session_id; + const struct session_id *server_sid = !session->opt->server ? + &ks->session_id_remote : &session->session_id; /* debugging print of source key material */ key_source2_print(key_src); @@ -1803,6 +1814,7 @@ generate_key_expansion(struct key_ctx_bi *key, master, sizeof(master)); + struct key2 key2; /* compute key expansion */ openvpn_PRF(master, sizeof(master), @@ -1815,41 +1827,62 @@ generate_key_expansion(struct key_ctx_bi *key, server_sid, (uint8_t *)key2.keys, sizeof(key2.keys)); + secure_memzero(&master, sizeof(master)); + /* We use the DES fixup here so we can drop it once we + * drop DES support and non RFC5705 key derivation */ + for (int i = 0; i < 2; ++i) + { + fixup_key(&key2.keys[i], &session->opt->key_type); + } key2.n = 2; - key2_print(&key2, key_type, "Master Encrypt", "Master Decrypt"); + return key2; +} + +/* + * Using source entropy from local and remote hosts, mix into + * master key. + */ +static bool +generate_key_expansion(struct key_ctx_bi *key, + const struct tls_session *session) +{ + bool ret = false; + + if (key->initialized) + { + msg(D_TLS_ERRORS, "TLS Error: key already initialized"); + goto exit; + } + + + bool server = session->opt->server; + + struct key2 key2 = generate_key_expansion_oepnvpn_prf(session); + + key2_print(&key2, &session->opt->key_type, + "Master Encrypt", "Master Decrypt"); /* check for weak keys */ for (int i = 0; i < 2; ++i) { - fixup_key(&key2.keys[i], key_type); - if (!check_key(&key2.keys[i], key_type)) + if (!check_key(&key2.keys[i], &session->opt->key_type)) { msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated"); goto exit; } } - - /* Initialize OpenSSL key contexts */ - int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL; - init_key_ctx_bi(key, &key2, key_direction, key_type, "Data Channel"); - - /* Initialize implicit IVs */ - key_ctx_update_implicit_iv(&key->encrypt, key2.keys[(int)server].hmac, - MAX_HMAC_KEY_LENGTH); - key_ctx_update_implicit_iv(&key->decrypt, key2.keys[1-(int)server].hmac, - MAX_HMAC_KEY_LENGTH); - + init_key_contexts(key, &session->opt->key_type, server, &key2); ret = true; exit: - secure_memzero(&master, sizeof(master)); secure_memzero(&key2, sizeof(key2)); return ret; } + static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len) { @@ -1879,10 +1912,7 @@ tls_session_generate_data_channel_keys(struct tls_session *session) { bool ret = false; struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */ - const struct session_id *client_sid = session->opt->server ? - &ks->session_id_remote : &session->session_id; - const struct session_id *server_sid = !session->opt->server ? - &ks->session_id_remote : &session->session_id; + if (ks->authenticated == KS_AUTH_FALSE) { @@ -1891,9 +1921,8 @@ tls_session_generate_data_channel_keys(struct tls_session *session) } ks->crypto_options.flags = session->opt->crypto_flags; - if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi, - &session->opt->key_type, ks->key_src, client_sid, server_sid, - session->opt->server)) + + if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi, session)) { msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed"); goto cleanup;