dual mode

Author: Jon Chiappetta

src/openvpn/auth_token.c

@@ -35,15 +35,15 @@ auth_token_kt(void)
 }
 
 void
-add_session_token_env(struct tls_session *session, struct tls_multi *multi,
-                      const struct user_pass *up)
+add_session_token_env(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
 {
     if (!multi->opt.auth_token_generate)
     {
         return;
     }
 
-    int auth_token_state_flags = session->key[KS_PRIMARY].auth_token_state_flags;
+    struct key_state *ks = tls_select_encryption_key_init(multi);
+    int auth_token_state_flags = ks->auth_token_state_flags;
 
     const char *state;
 
@@ -81,7 +81,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi,
         state = "Invalid";
     }
 
-    setenv_str(session->opt->es, "session_state", state);
+    setenv_str(multi->opt.es, "session_state", state);
 
     /* We had a valid session id before */
     const char *session_id_source;
@@ -111,7 +111,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi,
     memcpy(session_id, session_id_source + strlen(SESSION_ID_PREFIX),
            AUTH_TOKEN_SESSION_ID_LEN * 8 / 6);
 
-    setenv_str(session->opt->es, "session_id", session_id);
+    setenv_str(multi->opt.es, "session_id", session_id);
 }
 
 void
@@ -217,8 +217,8 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
      * a new token with the empty username since we do not want to loose
      * the information that the username cannot be trusted
      */
-    struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];
-    if (ks->auth_token_state_flags & AUTH_TOKEN_VALID_EMPTYUSER)
+    struct key_state *ks = tls_select_encryption_key_init(multi);
+    if (ks && ks->auth_token_state_flags & AUTH_TOKEN_VALID_EMPTYUSER)
     {
         hmac_ctx_update(ctx, (const uint8_t *)"", 0);
     }
@@ -415,10 +415,15 @@ void
 check_send_auth_token(struct context *c)
 {
     struct tls_multi *multi = c->c2.tls_multi;
-    struct tls_session *session = &multi->session[TM_ACTIVE];
 
-    if (get_primary_key(multi)->state < S_GENERATED_KEYS
-        || get_primary_key(multi)->authenticated != KS_AUTH_TRUE)
+    if (!multi)
+    {
+        return;
+    }
+
+    struct key_state *ks = tls_select_encryption_key_init(multi);
+
+    if (ks->state < S_GENERATED_KEYS || ks->authenticated != KS_AUTH_TRUE)
     {
         /* the currently active session is still in renegotiation or another
          * not fully authorized state. We are either very close to a
@@ -447,11 +452,11 @@ check_send_auth_token(struct context *c)
 
     generate_auth_token(&up, multi);
 
-    resend_auth_token_renegotiation(multi, session);
+    resend_auth_token_renegotiation(multi);
 }
 
 void
-resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session)
+resend_auth_token_renegotiation(struct tls_multi *multi)
 {
     /*
      * Auth token already sent to client, update auth-token on client.

src/openvpn/auth_token.h

@@ -128,7 +128,7 @@ is_auth_token(const char *password)
  * @param multi     Pointer the multi object of the TLS session
  * @param session   Pointer to the TLS session itself
  */
-void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session);
+void resend_auth_token_renegotiation(struct tls_multi *multi);
 
 
 /**

src/openvpn/forward.c

@@ -293,7 +293,7 @@ check_incoming_control_channel(struct context *c)
 
     struct gc_arena gc = gc_new();
     struct buffer buf = alloc_buf_gc(len, &gc);
-    if (tls_rec_payload(c->c2.tls_multi, &buf))
+    while (tls_rec_payload(c->c2.tls_multi, &buf))
     {
         while (BLEN(&buf) > 1)
         {
@@ -305,10 +305,6 @@ check_incoming_control_channel(struct context *c)
             }
         }
     }
-    else
-    {
-        msg(D_PUSH_ERRORS, "WARNING: Receive control message failed");
-    }
 
     gc_free(&gc);
 }
@@ -372,20 +368,18 @@ check_connection_established(struct context *c)
 }
 
 bool
-send_control_channel_string_dowork(struct tls_session *session, const char *str,
-                                   msglvl_t msglevel)
+send_control_channel_string_dowork(struct tls_multi *multi, struct key_state *ks, const char *str, msglvl_t msglevel)
 {
     struct gc_arena gc = gc_new();
     bool stat;
 
-    ASSERT(session);
-    struct key_state *ks = &session->key[KS_PRIMARY];
+    ASSERT(multi);
 
     /* buffered cleartext write onto TLS control channel */
     stat = tls_send_payload(ks, (uint8_t *)str, strlen(str) + 1);
 
     msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
-        session->common_name ? session->common_name : "UNDEF", sanitize_control_message(str, &gc),
+        multi->common_name ? multi->common_name : "UNDEF", sanitize_control_message(str, &gc),
         (int)stat);
 
     gc_free(&gc);
@@ -402,12 +396,12 @@ reschedule_multi_process(struct context *c)
 bool
 send_control_channel_string(struct context *c, const char *str, msglvl_t msglevel)
 {
-    if (c->c2.tls_multi)
+    struct tls_multi *multi = c->c2.tls_multi;
+    if (multi)
     {
-        struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
-        bool ret = send_control_channel_string_dowork(session, str, msglevel);
+        struct key_state *ks = tls_select_encryption_key_init(multi);
+        bool ret = send_control_channel_string_dowork(multi, ks, str, msglevel);
         reschedule_multi_process(c);
-
         return ret;
     }
     return true;
@@ -2398,11 +2392,13 @@ get_io_flags_udp(struct context *c, struct multi_io *multi_io, const unsigned in
 }
 
 void
-io_wait_dowork(struct context *c, const unsigned int flags)
+io_wait_dowork(struct context *c, const unsigned int flags, int t)
 {
     unsigned int out_socket;
     unsigned int out_tuntap;
     struct event_set_return esr[4];
+    struct event_set *event_set = ((t & THREAD_RTWL) != 0) ? c->c2.event_set : c->c2.event_set2;
+    unsigned int *event_set_status = ((t & THREAD_RTWL) != 0) ? &(c->c2.event_set_status) : &(c->c2.event_set_status2);
 
     /* These shifts all depend on EVENT_READ and EVENT_WRITE */
     static uintptr_t socket_shift = SOCKET_SHIFT; /* depends on SOCKET_READ and SOCKET_WRITE */
@@ -2420,29 +2416,29 @@ io_wait_dowork(struct context *c, const unsigned int flags)
     /*
      * Decide what kind of events we want to wait for.
      */
-    event_reset(c->c2.event_set);
+    event_reset(event_set);
 
-    multi_io_process_flags(c, c->c2.event_set, flags, &out_socket, &out_tuntap);
+    multi_io_process_flags(c, event_set, flags, &out_socket, &out_tuntap);
 
 #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
     if (out_socket & EVENT_READ && c->c2.did_open_tun)
     {
-        dco_event_set(&c->c1.tuntap->dco, c->c2.event_set, (void *)dco_shift);
+        dco_event_set(&c->c1.tuntap->dco, event_set, (void *)dco_shift);
     }
 #endif
 
 #ifdef ENABLE_MANAGEMENT
     if (management)
     {
-        management_socket_set(management, c->c2.event_set, (void *)management_shift, NULL);
+        management_socket_set(management, event_set, (void *)management_shift, NULL);
     }
 #endif
 
 #ifdef ENABLE_ASYNC_PUSH
     /* arm inotify watcher */
     if (c->options.mode == MODE_SERVER)
     {
-        event_ctl(c->c2.event_set, c->c2.inotify_fd, EVENT_READ, (void *)file_shift);
+        event_ctl(event_set, c->c2.inotify_fd, EVENT_READ, (void *)file_shift);
     }
 #endif
 
@@ -2456,7 +2452,7 @@ io_wait_dowork(struct context *c, const unsigned int flags)
      *  (6) timeout (tv) expired
      */
 
-    c->c2.event_set_status = ES_ERROR;
+    *event_set_status = ES_ERROR;
 
     if (!c->sig->signal_received)
     {
@@ -2474,14 +2470,14 @@ io_wait_dowork(struct context *c, const unsigned int flags)
             /*
              * Wait for something to happen.
              */
-            status = event_wait(c->c2.event_set, &c->c2.timeval, esr, SIZE(esr));
+            status = event_wait(event_set, &c->c2.timeval, esr, SIZE(esr));
 
             check_status(status, "event_wait", NULL, NULL);
 
             if (status > 0)
             {
                 int i;
-                c->c2.event_set_status = 0;
+                *event_set_status = 0;
                 for (i = 0; i < status; ++i)
                 {
                     const struct event_set_return *e = &esr[i];
@@ -2492,7 +2488,7 @@ io_wait_dowork(struct context *c, const unsigned int flags)
                         struct event_arg *ev_arg = (struct event_arg *)e->arg;
                         if (ev_arg->type != EVENT_ARG_LINK_SOCKET)
                         {
-                            c->c2.event_set_status = ES_ERROR;
+                            *event_set_status = ES_ERROR;
                             msg(D_LINK_ERRORS, "io_work: non socket event delivered");
                             return;
                         }
@@ -2504,30 +2500,26 @@ io_wait_dowork(struct context *c, const unsigned int flags)
                         shift = (uintptr_t)e->arg;
                     }
 
-                    c->c2.event_set_status |= ((e->rwflags & 3) << shift);
+                    *event_set_status |= ((e->rwflags & 3) << shift);
                 }
             }
-            else if (status == 0)
-            {
-                c->c2.event_set_status = ES_TIMEOUT;
-            }
         }
-        if (sockets_read_residual(c))
+        if (sockets_read_residual(c->c2.link_sockets, c->c1.link_sockets_num))
         {
-            c->c2.event_set_status |= (SOCKET_READ << SOCKET_SHIFT);
+            *event_set_status |= (SOCKET_READ << SOCKET_SHIFT);
         }
     }
 
     /* 'now' should always be a reasonably up-to-date timestamp */
     update_time();
 
     /* set signal_received if a signal was received */
-    if (c->c2.event_set_status & ES_ERROR)
+    if (*event_set_status & ES_ERROR)
     {
         get_signal(&c->sig->signal_received);
     }
 
-    dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", c->c2.event_set_status);
+    dmsg(D_EVENT_WAIT, "I/O WAIT status=0x%04x", *event_set_status);
 }
 
 void threaded_fwd_inp_intf(struct context *c, struct link_socket *sock, struct thread_pointer *b)
@@ -2547,7 +2539,7 @@ void threaded_fwd_inp_intf(struct context *c, struct link_socket *sock, struct t
 }
 
 void
-process_io(struct context *c, struct link_socket *sock, struct thread_pointer *b)
+process_io(struct context *c, struct link_socket *sock, struct thread_pointer *b, int t)
 {
     const unsigned int status = c->c2.event_set_status;
 
@@ -2560,17 +2552,17 @@ process_io(struct context *c, struct link_socket *sock, struct thread_pointer *b
 #endif
 
     /* TCP/UDP port ready to accept write */
-    if (status & SOCKET_WRITE)
+    if ((status & SOCKET_WRITE) && ((t & THREAD_RTWL) != 0))
     {
         process_outgoing_link(c, sock);
     }
     /* TUN device ready to accept write */
-    else if (status & TUN_WRITE)
+    else if ((status & TUN_WRITE) && ((t & THREAD_RLWT) != 0))
     {
         process_outgoing_tun(c, sock);
     }
     /* Incoming data on TCP/UDP port */
-    else if (status & SOCKET_READ)
+    else if ((status & SOCKET_READ) && ((t & THREAD_RLWT) != 0))
     {
         read_incoming_link(c, sock);
         if (!IS_SIG(c))
@@ -2579,15 +2571,77 @@ process_io(struct context *c, struct link_socket *sock, struct thread_pointer *b
         }
     }
     /* Incoming data on TUN device */
-    else if (status & TUN_READ)
+    else if ((status & TUN_READ) && ((t & THREAD_RTWL) != 0))
     {
         threaded_fwd_inp_intf(c, sock, b);
     }
-    else if (status & DCO_READ)
+    else if ((status & DCO_READ) && ((t & THREAD_RTWL) != 0))
     {
         if (!IS_SIG(c))
         {
             process_incoming_dco(c);
         }
     }
 }
+
+void *threaded_process_io(void *a)
+{
+    /*
+        dual mode commit notes:
+          - thread1 handles tunn-read->-link-send and thread2 handles link-read->-tunn-send
+          - set thread1 to handle the pre_select() call as it falls under the threaded paths
+            and the function will eventually overwrite the c2.buf and c2.to_link buffer variables
+            which will then cause data conflict and corruption errors if not called from thread1
+          - the server is slower to move through the key session states than the client is
+            so hold onto old keys longer before rotation and delay using new keys before selection
+          - dual mode is based on the organization and separation code implemented in bulk mode
+    */
+
+    struct dual_args *d = (struct dual_args *)a;
+    struct thread_pointer *b = d->b;
+
+    int t = d->t;
+    unsigned int f = d->f;
+    uint8_t buff[5];
+    size_t leng;
+
+    fd_set rfds;
+    struct timeval timo;
+
+    while (true)
+    {
+        if (b->p->z != 1) { break; }
+
+        FD_ZERO(&rfds); FD_SET(d->w[0][0], &rfds);
+        timo.tv_sec = 1; timo.tv_usec = 750000;
+        select(d->w[0][0]+1, &rfds, NULL, NULL, &timo);
+
+        if (b->p->z != 1) { break; }
+
+        if (FD_ISSET(d->w[0][0], &rfds))
+        {
+            leng = read(d->w[0][0], buff, 1);
+            if (leng < 1) { /* no-op */ }
+
+            if (d->a == TA_UNDEF)
+            {
+                multi_io_process_io(b, f, t);
+            }
+            else if (d->a == TA_TIMEOUT)
+            {
+                struct multi_context *m = b->p->m[b->i-1];
+                multi_io_action(m, NULL, TA_TIMEOUT, false, f, t);
+            }
+            else if (d->a == TA_FORWARD)
+            {
+                struct context *c = d->c;
+                process_io(c, c->c2.link_sockets[0], b, t);
+            }
+
+            d->z = 0;
+            leng = write(d->w[1][1], buff, 1);
+        }
+    }
+
+    return NULL;
+}