Hi, On Thu, Jul 28, 2022 at 09:47:33PM +0200, Antonio Quartulli wrote: > DCO will try to install keys upon generating them, however, this happens > when parsing pushed cipher options (due to NCP). > > For this reason we need to postpone parsing pushed cipher options to *after* > the tunnel interface has been opened, otherwise we would have no DCO netdev > object to operate on. > > At the same time we split the parsing code, so that we can ensure that > the NEW_PEER call can happen after the received peer-id has been parsed > (it is required by all DCO API calls). > > Signed-off-by: Antonio Quartulli <[email protected]>
Some aspects of this patch I do not like, and others are broken,
unfortunately.
What I do not like is the naming of finish_options(), because I find
it confusing in relation to the "first half" of that, do_deferred_options()
- so maybe name this do_deferred_options_crypto()? But this is somewhat
minor.
What I'm not sure about is the order of things in multi.c - but that
might be due to misunderstanding. But I wonder why you are calling
"multi_client_generate_tls_keys()" *before* processing the incoming
crypto options in "finish_options()", which call update_crypto_params() -
is there an interdependency? Or does this not matter?
The "broken" bit is: it breaks udp p2p TLS connections - the server
will segfault. I guess this is due to moving p2p_ncp around...
The crash manifests as follows:
gdb openvpn
gdb> run server.conf
...
2022-08-02 12:50:45 us=144084 net_iface_mtu_set: mtu 1500 for tun5
2022-08-02 12:50:45 us=144179 net_iface_up: set tun5 up
2022-08-02 12:50:45 us=144241 net_addr_v6_add: fd00:abcd:204:8::1/64 dev tun5
2022-08-02 12:50:45 us=144396 Data Channel MTU parms [ mss_fix:0 max_frag:0
tun_mtu:1500 headroom:136 payload:1736 tailroom:557 ET:0 ]
2022-08-02 12:50:45 us=144457 Local Options String (VER=V4): 'V4,dev-type
tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,tun-ipv6,ifconfig 10.204.8.2
10.204.8.1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
2022-08-02 12:50:45 us=144480 Expected Remote Options String (VER=V4):
'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,tun-ipv6,ifconfig
10.204.8.1 10.204.8.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
2022-08-02 12:50:45 us=144539 Socket Buffers: R=[212992->212992]
S=[212992->212992]
2022-08-02 12:50:45 us=144568 setsockopt(IPV6_V6ONLY=0)
2022-08-02 12:50:45 us=144616 UDPv6 link local (bound): [AF_INET6][undef]:51204
2022-08-02 12:50:45 us=144644 UDPv6 link remote: [AF_UNSPEC]
<waiting, client connects>
2022-08-02 12:52:13 us=388007 Peer Connection Initiated with
[AF_INET6]::ffff:194.97.140.21:19880
Program received signal SIGSEGV, Segmentation fault0x00005555555d38e1 in
check_session_cipher (session=session@entry=0x448,
options=options@entry=0x7fffffffd4d0) at ssl_ncp.c:499
499 && streq(options->ciphername,
session->opt->config_ciphername);
(gdb) where
#0 0x00005555555d38e1 in check_session_cipher (session=session@entry=0x448,
options=options@entry=0x7fffffffd4d0) at ssl_ncp.c:499
#1 0x00005555555cab8b in tls_session_update_crypto_params (multi=0x0,
session=0x448, options=0x7fffffffd4d0, frame=0x7fffffffe0a0,
frame_fragment=0x0, lsi=0x55555562bc80) at ssl.c:1716
#2 0x000055555557899f in finish_options (c=<optimized out>) at init.c:2358
#3 0x0000555555578a65 in do_up (c=c@entry=0x7fffffffd4d0,
pulled_options=pulled_options@entry=false,
option_types_found=option_types_found@entry=0) at init.c:2131
#4 0x0000555555571326 in check_connection_established (c=0x7fffffffd4d0)
at forward.c:311
#5 process_coarse_timers (c=0x7fffffffd4d0) at forward.c:634
#6 check_coarse_timers (c=0x7fffffffd4d0) at forward.c:717
#7 pre_select (c=c@entry=0x7fffffffd4d0) at forward.c:1823
#8 0x0000555555597b36 in tunnel_point_to_point (c=0x7fffffffd4d0)
at openvpn.c:79
#9 openvpn_main (argc=2, argv=0x7fffffffe638) at openvpn.c:311
#10 0x00007ffff7cc21ea in ?? () from /lib64/libc.so.6
#11 0x00007ffff7cc229c in __libc_start_main () from /lib64/libc.so.6
#12 0x000055555555c0b1 in _start ()
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
