Re: [Openvpn-devel] [PATCH v2 11/25] dco: split option parsing routines

[Gert Doering]

Hi,

On Thu, Jul 28, 2022 at 09:47:33PM +0200, Antonio Quartulli wrote:
> DCO will try to install keys upon generating them, however, this happens
> when parsing pushed cipher options (due to NCP).
> 
> For this reason we need to postpone parsing pushed cipher options to *after*
> the tunnel interface has been opened, otherwise we would have no DCO netdev
> object to operate on.
> 
> At the same time we split the parsing code, so that we can ensure that
> the NEW_PEER call can happen after the received peer-id has been parsed
> (it is required by all DCO API calls).
> 
> Signed-off-by: Antonio Quartulli <a...@unstable.cc>

Some aspects of this patch I do not like, and others are broken, 
unfortunately.

What I do not like is the naming of finish_options(), because I find
it confusing in relation to the "first half" of that, do_deferred_options()
- so maybe name this do_deferred_options_crypto()?  But this is somewhat
minor.

What I'm not sure about is the order of things in multi.c - but that
might be due to misunderstanding.  But I wonder why you are calling
"multi_client_generate_tls_keys()" *before* processing the incoming
crypto options in "finish_options()", which call update_crypto_params() -
is there an interdependency?  Or does this not matter?


The "broken" bit is: it breaks udp p2p TLS connections - the server
will segfault.  I guess this is due to moving p2p_ncp around...

The crash manifests as follows:

gdb openvpn
gdb> run server.conf
...
2022-08-02 12:50:45 us=144084 net_iface_mtu_set: mtu 1500 for tun5
2022-08-02 12:50:45 us=144179 net_iface_up: set tun5 up
2022-08-02 12:50:45 us=144241 net_addr_v6_add: fd00:abcd:204:8::1/64 dev tun5
2022-08-02 12:50:45 us=144396 Data Channel MTU parms [ mss_fix:0 max_frag:0 
tun_mtu:1500 headroom:136 payload:1736 tailroom:557 ET:0 ]
2022-08-02 12:50:45 us=144457 Local Options String (VER=V4): 'V4,dev-type 
tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,tun-ipv6,ifconfig 10.204.8.2 
10.204.8.1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
2022-08-02 12:50:45 us=144480 Expected Remote Options String (VER=V4): 
'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,tun-ipv6,ifconfig 
10.204.8.1 10.204.8.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
2022-08-02 12:50:45 us=144539 Socket Buffers: R=[212992->212992] 
S=[212992->212992]
2022-08-02 12:50:45 us=144568 setsockopt(IPV6_V6ONLY=0)
2022-08-02 12:50:45 us=144616 UDPv6 link local (bound): [AF_INET6][undef]:51204
2022-08-02 12:50:45 us=144644 UDPv6 link remote: [AF_UNSPEC]

<waiting, client connects>

2022-08-02 12:52:13 us=388007 Peer Connection Initiated with 
[AF_INET6]::ffff:194.97.140.21:19880

Program received signal SIGSEGV, Segmentation fault0x00005555555d38e1 in 
check_session_cipher (session=session@entry=0x448, 
options=options@entry=0x7fffffffd4d0) at ssl_ncp.c:499
499                                           && streq(options->ciphername, 
session->opt->config_ciphername);

(gdb) where
#0  0x00005555555d38e1 in check_session_cipher (session=session@entry=0x448, 
    options=options@entry=0x7fffffffd4d0) at ssl_ncp.c:499
#1  0x00005555555cab8b in tls_session_update_crypto_params (multi=0x0, 
    session=0x448, options=0x7fffffffd4d0, frame=0x7fffffffe0a0, 
    frame_fragment=0x0, lsi=0x55555562bc80) at ssl.c:1716
#2  0x000055555557899f in finish_options (c=<optimized out>) at init.c:2358
#3  0x0000555555578a65 in do_up (c=c@entry=0x7fffffffd4d0, 
    pulled_options=pulled_options@entry=false, 
    option_types_found=option_types_found@entry=0) at init.c:2131
#4  0x0000555555571326 in check_connection_established (c=0x7fffffffd4d0)
    at forward.c:311
#5  process_coarse_timers (c=0x7fffffffd4d0) at forward.c:634
#6  check_coarse_timers (c=0x7fffffffd4d0) at forward.c:717
#7  pre_select (c=c@entry=0x7fffffffd4d0) at forward.c:1823
#8  0x0000555555597b36 in tunnel_point_to_point (c=0x7fffffffd4d0)
    at openvpn.c:79
#9  openvpn_main (argc=2, argv=0x7fffffffe638) at openvpn.c:311
#10 0x00007ffff7cc21ea in ?? () from /lib64/libc.so.6
#11 0x00007ffff7cc229c in __libc_start_main () from /lib64/libc.so.6
#12 0x000055555555c0b1 in _start ()


gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel