Add lookup of multi session by session id

TODO: We seem to support that a peer changes it session id. Is that really
      supported/how to reproduce that?

Change-Id: Idb59ecd119331b198792ad1379bec8600211651b
Signed-off-by: Arne Schwabe <arne@rfc2549.org>

Author: schwabe

CMakeLists.txt

@@ -826,6 +826,7 @@ if (BUILD_TESTING)
         src/openvpn/siphash.c
         src/openvpn/siphash_reference.c
         src/openvpn/siphash_openssl.c
+        src/openvpn/session_id.c
     )
 
     target_sources(test_ncp PRIVATE

doc/man-sections/advanced-options.rst

@@ -29,14 +29,19 @@ used when debugging or testing out special usage scenarios.
 
 --hash-size args
   Set the size of the real address hash table to ``r`` and the virtual
-  address table to ``v``.
+  address table to ``v``. And if specified the session id hash table to
+  ``s``.
 
   Valid syntax:
   ::
 
      hash-size r v
 
   By default, both tables are sized at 1024 buckets.
+    hash-size r v s
+
+  By default, both address tables are sized at 1024 buckets and session id
+  table is sized at double the real address table if not specified (2048).
 
 --bcast-buffers n
   Allocate ``n`` buffers for broadcast datagrams (default :code:`256`).

src/openvpn/mudp.c

@@ -32,6 +32,7 @@
 
 #include "memdbg.h"
 #include "ssl_pkt.h"
+#include "sid_hash.h"
 
 #ifdef HAVE_SYS_INOTIFY_H
 #include <sys/inotify.h>
@@ -166,7 +167,7 @@ do_pre_decrypt_check(struct multi_context *m, struct tls_pre_decrypt_state *stat
         }
         else
         {
-            msg(D_MULTI_DEBUG,
+            msg(D_MULTI_MEDIUM,
                 "Valid packet (%s) with HMAC challenge from peer (%s), "
                 "accepting new connection.",
                 packet_opcode_name(op), peer);
@@ -180,6 +181,7 @@ do_pre_decrypt_check(struct multi_context *m, struct tls_pre_decrypt_state *stat
     return false;
 }
 
+
 #if defined(__GNUC__) || defined(__clang__)
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wsign-compare"
@@ -235,6 +237,7 @@ handle_connection_attempt(struct multi_context *m,
                     struct tls_session *session =
                         &mi->context.c2.tls_multi->session[TM_INITIAL];
                     session_skip_to_pre_start(session, &state, &m->top.c2.from);
+                    multi_hash_sid_add(m, &state.peer_session_id, mi);
                 }
             }
         }
@@ -254,17 +257,43 @@ handle_connection_attempt(struct multi_context *m,
 struct multi_instance *
 multi_get_instance_udp_control(struct multi_context *m, struct link_socket *sock)
 {
+    struct hash *addr_hash = m->hash;
+
+    /* Copy buffer, to a tmp buffer, so that reading the sesison does not
+     * modify the internal pointers */
+    struct buffer tmp = m->top.c2.buf;
+
+    /* op code */
+    uint8_t op = (uint8_t)buf_read_u8(&tmp);
+
+    struct session_id sid = { 0 };
+    session_id_read(&sid, &tmp);
+
+    struct hash_element *he_sid = multi_hash_sid_lookup(m, &sid);
+
+    if (he_sid)
+    {
+        return he_sid->value;
+    }
+
+    /* If we cannot find the session the only valid case where we assign
+     * this to an existing session is the case when this is a soft reset.
+     * In this case we fall back to the lookup via IP address */
+    if (op != P_CONTROL_SOFT_RESET_V1)
+    {
+        return NULL;
+    }
+
     struct mroute_addr real = { 0 };
-    struct hash *hash = m->hash;
     real.proto = sock->info.proto;
 
-    if (mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true) && m->top.c2.buf.len > 0)
+    if (mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
     {
         struct hash_element *he;
-        const uint64_t hv = hash_value(hash, &real);
-        struct hash_bucket *bucket = hash_bucket(hash, hv);
+        const uint64_t addr_hv = hash_value(addr_hash, &real);
+        struct hash_bucket *bucket = hash_bucket(addr_hash, addr_hv);
 
-        he = hash_lookup_fast(hash, bucket, &real, hv);
+        he = hash_lookup_fast(addr_hash, bucket, &real, addr_hv);
         if (he)
         {
             return he->value;
@@ -357,6 +386,13 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated, struct lin
     }
     else
     {
+        if (m->top.c2.buf.len < 9)
+        {
+            /* control packets must be at least the opcode byte + session id
+             * (8 byte) long, otherwise they are not valid packets */
+            return NULL;
+        }
+
         mi = multi_get_instance_udp_control(m, sock);
 
         /* we have no existing multi instance for this connection, control

src/openvpn/multi.c

@@ -23,6 +23,7 @@
 #ifdef HAVE_CONFIG_H
 #include "config.h"
 #endif
+#include "sid_hash.h"
 #include "siphash.h"
 
 #ifdef HAVE_SYS_INOTIFY_H
@@ -272,8 +273,8 @@ multi_init(struct context *t)
     struct multi_context *m = t->multi;
     int dev = DEV_TYPE_UNDEF;
 
-    msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d", t->options.real_hash_size,
-        t->options.virtual_hash_size);
+    msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d s=%d", t->options.real_hash_size,
+        t->options.virtual_hash_size, t->options.sid_hash_size);
 
     /*
      * Get tun/tap/null device type
@@ -301,6 +302,12 @@ multi_init(struct context *t)
     m->vhash = hash_init(t->options.virtual_hash_size, siphash_new_context(), siphash_free_context,
                          mroute_addr_hash_function, mroute_addr_compare_function);
 
+    /*
+     * Peer session id hash table. Used to lookup a session by the session
+     * id of one of its active sessions */
+    m->sid_hash = hash_init(t->options.sid_hash_size, siphash_new_context(), siphash_free_context,
+                            session_id_hash_function, session_id_hash_equal);
+
 #ifdef ENABLE_MANAGEMENT
     m->cid_hash = hash_init(t->options.real_hash_size, NULL, free, cid_hash_function, cid_compare_function);
 #endif
@@ -599,6 +606,15 @@ multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool sh
         }
 #endif
 
+        for (int i = 0; i < SIZE(mi->sid_hashed_values); i++)
+        {
+            if (session_id_defined(&mi->sid_hashed_values[i]))
+            {
+                multi_hash_sid_remove(m, &mi->sid_hashed_values[i]);
+                CLEAR(mi->sid_hashed_values[i]);
+            }
+        }
+
         if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
         {
             m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
@@ -673,6 +689,7 @@ multi_uninit(struct multi_context *m)
 
         hash_free(m->hash);
         hash_free(m->vhash);
+        hash_free(m->sid_hash);
 #ifdef ENABLE_MANAGEMENT
         hash_free(m->cid_hash);
 #endif

src/openvpn/multi.h

@@ -134,6 +134,10 @@ struct multi_instance
     bool did_real_hash;
 #ifdef ENABLE_MANAGEMENT
     bool did_cid_hash;
+    /* The values we put into the multi_context->sid_hash to be able to
+     * update the sid_hash without putting updates deep into the tls
+     * methods, the key pointers of the hash map also point here */
+    struct session_id sid_hashed_values[2];
     struct buffer_list *cc_config;
 #endif
     bool did_iroutes;
@@ -170,6 +174,11 @@ struct multi_context
                                         *   address of the remote peer. */
     struct hash *vhash;                /**< VPN tunnel instances indexed by
                                         *   virtual address of remote hosts. */
+    struct hash *sid_hash;             /**< TLS sessions indexed by the peer's
+                                            session id. We do not care collisions here
+                                            as clients should have unique ids and
+                                            supporting clients with identical SIDs
+                                            is not needed */
     struct schedule *schedule;
     struct mbuf_set *mbuf;             /**< Set of buffers for passing data
                                         *   channel packets between VPN tunnel

src/openvpn/options.c

@@ -851,6 +851,7 @@ init_options(struct options *o)
     o->vlan_pvid = 1;
     o->real_hash_size = 1024;
     o->virtual_hash_size = 1024;
+    o->sid_hash_size = 2048;
     o->n_bcast_buf = 256;
     o->tcp_queue_limit = 64;
     o->max_clients = 1024;
@@ -7312,7 +7313,7 @@ add_option(struct options *options, char *p[], bool is_inline, const char *file,
         options->ifconfig_ipv6_pool_base = network;
         options->ifconfig_ipv6_pool_netbits = netbits;
     }
-    else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[3])
+    else if (streq(p[0], "hash-size") && p[1] && p[2] && !p[4])
     {
         int real, virtual;
 
@@ -7324,6 +7325,21 @@ add_option(struct options *options, char *p[], bool is_inline, const char *file,
         }
         options->real_hash_size = (uint32_t)real;
         options->virtual_hash_size = (uint32_t)virtual;
+
+        if (p[3])
+        {
+            int sid;
+            if (!atoi_constrained(p[2], &sid, "hash-size sid", 1, INT_MAX, msglevel))
+            {
+                goto err;
+            }
+            options->sid_hash_size = (uint32_t)sid;
+        }
+        else
+        {
+            options->sid_hash_size = (uint32_t)(2 * real);
+        }
+
     }
     else if (streq(p[0], "connect-freq") && p[1] && p[2] && !p[3])
     {

src/openvpn/options.h

@@ -496,6 +496,7 @@ struct options
 
     uint32_t real_hash_size;
     uint32_t virtual_hash_size;
+    uint32_t sid_hash_size;
     const char *client_connect_script;
     const char *client_disconnect_script;
     const char *learn_address_script;

src/openvpn/sid_hash.h

@@ -0,0 +1,97 @@
+/*
+ *  OpenVPN -- An application to securely tunnel IP networks
+ *             over a single TCP/UDP port, with support for SSL/TLS-based
+ *             session authentication and key exchange,
+ *             packet encryption, packet authentication, and
+ *             packet compression.
+ *
+ *  Copyright (C) 2026 OpenVPN Inc <sales@openvpn.net>
+ *  Copyright (C) 2026 Arne Schwabe <arne@rfc2549.org>
+ *
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2
+ *  as published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "session_id.h"
+#include "multi.h"
+#include "list.h"
+#include "siphash.h"
+
+inline static void
+multi_hash_sid_add(struct multi_context *m, struct session_id *sid,
+                   struct multi_instance *mi)
+{
+    struct session_id *stored_sid = NULL;
+    for (int i = 0; i < 2; i++)
+    {
+        if (!session_id_defined(mi->sid_hashed_values))
+        {
+            stored_sid = mi->sid_hashed_values;
+            break;
+        }
+    }
+    /* there should be always a free slot if we try to add to map */
+    ASSERT(stored_sid);
+
+    *stored_sid = *sid;
+
+    const uint64_t hv = hash_value(m->sid_hash, stored_sid);
+    struct hash_bucket *bucket = hash_bucket(m->sid_hash, hv);
+    hash_add_fast(m->sid_hash, bucket, stored_sid, hv, mi);
+    multi_instance_inc_refcount(mi);
+}
+
+inline static bool
+multi_hash_sid_remove(struct multi_context *m, struct session_id *sid)
+{
+    const uint64_t hv = hash_value(m->sid_hash, sid);
+    struct hash_bucket *bucket = hash_bucket(m->sid_hash, hv);
+    struct hash_element *he = hash_lookup_fast(m->sid_hash, bucket, sid, hv);
+    if (he)
+    {
+        struct multi_instance *mi = he->value;
+        ASSERT(hash_remove_fast(m->sid_hash, bucket, sid, hv));
+        multi_instance_dec_refcount(mi);
+        return true;
+    }
+    else
+    {
+        return false;
+    }
+}
+
+static inline struct hash_element *
+multi_hash_sid_lookup(struct multi_context *m, struct session_id *sid)
+{
+    const uint64_t sid_hv = hash_value(m->sid_hash, sid);
+    struct hash_bucket *sid_bucket = hash_bucket(m->sid_hash, sid_hv);
+    struct hash_element *he_sid = hash_lookup_fast(m->sid_hash, sid_bucket, sid, sid_hv);
+    return he_sid;
+}
+
+/* hashing the session. As the struct is just an 8 byte array
+ * hashing is straight forward */
+static inline uint64_t
+session_id_hash_function(const void *key, void *ctx)
+{
+    return siphash_hash_func(key, sizeof(struct session_id), ctx);
+}
+
+/* wrapper for session_id_equal to have the void* arguments that the
+ * hash map requires */
+static inline bool
+session_id_hash_equal(const void *sid1, const void *sid2)
+{
+    return session_id_equal((struct session_id *)sid1, (struct session_id *)sid2);
+}

tests/unit_tests/openvpn/Makefile.am

@@ -382,7 +382,8 @@ misc_testdriver_SOURCES = test_misc.c \
 	$(top_srcdir)/src/openvpn/list.c \
 	$(top_srcdir)/src/openvpn/siphash.c \
 	$(top_srcdir)/src/openvpn/siphash_openssl.c \
-	$(top_srcdir)/src/openvpn/siphash_reference.c
+	$(top_srcdir)/src/openvpn/siphash_reference.c \
+	$(top_srcdir)/src/openvpn/session_id.c
 
 push_update_msg_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn \
 	-I$(top_srcdir)/src/compat \