Hi, On 06/05/2021 16:12, Arne Schwabe wrote: > tls_authentication_status does caching to avoid file I/O more than > every TLS_MULTI_AUTH_STATUS_INTERVAL (10s) per connection. But > counter-intuitively it does not return the cached result but rather > TLS_AUTHENTICATION_UNDEFINED if the cache is not refreshed by the call. > > This is workarounded by forcing a refresh in some areas of the code > (latency = 0). > > This patch changes the behaviour by always returning the last known > status and only updating the file status when the i/o timeout for the > caches is reached. > > The old logic in send_auth_failed is fragile in the sense that if > it is called again while an exit is scheduled it will reset the timer > to 5s again. Since we now always report the status from > tls_authentication_status() instead only every 10s, this caused OpenVPN > to infinitively reset the timer. Fix this by only setting the status > if no exit is scheduled. The function is still called multiple times but > since it is with coarse timer frequency, the 4 extra calls (1 per second) > are better than to add more extra code to avoid these calls. > > The patch also changes the DEFINE enum into a real enum. > > Patch v2: only update tas_cache_last_udpate when actually updating the cache. > Patch v3: avoid rearming timer > > Signed-off-by: Arne Schwabe <a...@rfc2549.org>
It turned out that this area of the code was quite twisted and by improving its logic we uncovered some corner cases. This patch does what it says (improves caching logic and reduces the voodoo magic), but also introduced some delay (well, due to caching) that we did not have before. "[PATCH] Use exponential backoff for caching in tls_authentication_status" takes care of removing this delay by implementing a dynamic caching latency (exp backoff). Acked-by: Antonio Quartulli <anto...@openvpn.net> Compiled in my lib zoo and tested in my basic environment. -- Antonio Quartulli _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
