Trigger a USR1 if dco_update_keys fails

When dco_update_keys fails, we are in some weird state that we are unlikely to recover since what userspace and kernel space think of the keys is very likely to not in sync anymore. So abandon the connection if this happens. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Antonio Quartulli <antonio@openvpn.net> Message-Id: <20221213225430.1892940-2-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25679.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 419051c96e9fb1f3202fd67733aa3b6a4bbc3181)
author: Arne Schwabe 2022-12-13 23:54:29 +0100
committer: Gert Doering 2022-12-14 09:01:20 +0100
commit: 238ac1785f08e4cde4c095629c94f2b9bcc977fa (patch)
tree: 5186d8c1fb0cfc1d5e818721a0fb5afea82ed7a0 /src/openvpn/dco.c
parent: 8910b5b6028ee0feb9c324b1baf137cae5b4d9bd (diff)
download: openvpn-238ac1785f08e4cde4c095629c94f2b9bcc977fa.zip
openvpn-238ac1785f08e4cde4c095629c94f2b9bcc977fa.tar.gz
1 files changed, 8 insertions, 7 deletions
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index c250826..5804ce7 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -130,7 +130,7 @@ dco_get_secondary_key(struct tls_multi *multi, const struct key_state *primary)
     return NULL;
 }
 
-void
+bool
 dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
 {
     msg(D_DCO_DEBUG, "%s: peer_id=%d", __func__, multi->dco_peer_id);
@@ -140,7 +140,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
      */
     if (multi->dco_keys_installed == 0)
     {
-        return;
+        return true;
     }
 
     struct key_state *primary = tls_select_encryption_key(multi);
@@ -155,18 +155,18 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
         if (ret < 0)
         {
             msg(D_DCO, "Cannot delete primary key during wipe: %s (%d)", strerror(-ret), ret);
-            return;
+            return false;
         }
 
         ret = dco_del_key(dco, multi->dco_peer_id, OVPN_KEY_SLOT_SECONDARY);
         if (ret < 0)
         {
             msg(D_DCO, "Cannot delete secondary key during wipe: %s (%d)", strerror(-ret), ret);
-            return;
+            return false;
         }
 
         multi->dco_keys_installed = 0;
-        return;
+        return true;
     }
 
     /* if we have a primary key, it must have been installed already (keys
@@ -198,7 +198,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
         if (ret < 0)
         {
             msg(D_DCO, "Cannot swap keys: %s (%d)", strerror(-ret), ret);
-            return;
+            return false;
         }
 
         primary->dco_status = DCO_INSTALLED_PRIMARY;
@@ -216,7 +216,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
         if (ret < 0)
         {
             msg(D_DCO, "Cannot delete secondary key: %s (%d)", strerror(-ret), ret);
-            return;
+            return false;
         }
         multi->dco_keys_installed = 1;
     }
@@ -230,6 +230,7 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
             ks->dco_status = DCO_NOT_INSTALLED;
         }
     }
+    return true;
 }
 
 static bool
author	Arne Schwabe	2022-12-13 23:54:29 +0100
committer	Gert Doering	2022-12-14 09:01:20 +0100
commit	238ac1785f08e4cde4c095629c94f2b9bcc977fa (patch)
tree	5186d8c1fb0cfc1d5e818721a0fb5afea82ed7a0 /src/openvpn/dco.c
parent	8910b5b6028ee0feb9c324b1baf137cae5b4d9bd (diff)
download	openvpn-238ac1785f08e4cde4c095629c94f2b9bcc977fa.zip openvpn-238ac1785f08e4cde4c095629c94f2b9bcc977fa.tar.gz