Change pull request timeout use a timeout rather than a number

This commit changes the count n_sent_push_requests to time_t based
push_request_timeout. This is more in line to our other timeouts which
are also time based instead of number retries based.

This does not change the behaviour but it prepares allowing to extend
the pull request timeout during a pending authentication. As a user
visible change we print the the time we waited for a timeout instead

Also update the man page to actually document that hand-window controls
this timeout.

Patch V2: grammar fix in manual page

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20210125125628.30364-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21490.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst
index 28cf6f1e1ae90149f7477ddd39ec49a7a5880800..e13fb3c8a4cbfa056abf1626a811037d3374646b 100644 (file)
--- a/doc/man-sections/tls-options.rst
+++ b/doc/man-sections/tls-options.rst
@@ -200,6 +200,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa
   will still use our expiring key for up to ``--tran-window`` seconds to
   maintain continuity of transmission of tunnel data.
 
+  The ``--hand-window`` parameter also controls the amount of time that
+  the OpenVPN client repeats the pull request until it times out.
+
 --key file
   Local peer's private key in .pem format. Use the private key which was
   generated when you built your peer's certificate (see ``--cert file``

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 17a2699d066c058642e92dd8924ff7eab73f9462..aaaa1753a87045a688a8ca687d52e61cb1e78166 100644 (file)
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -299,6 +299,7 @@ check_connection_established(struct context *c)
             }
 #endif
             /* fire up push request right away (already 1s delayed) */
+            c->c2.push_request_timeout = now + c->options.handshake_window;
             event_timeout_init(&c->c2.push_request_interval, 0, now);
             reset_coarse_timers(c);
         }

diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index 4ca89ba9e8389b31bab766fe188523d1c84f502b..e9bc7dad124f4a9bb81d00ad401854069909055f 100644 (file)
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@@ -462,7 +462,7 @@ struct context_2
     enum client_connect_status context_auth;
 
     struct event_timeout push_request_interval;
-    int n_sent_push_requests;
+    time_t push_request_timeout;
     bool did_pre_pull_restore;
 
     /* hash of pulled options, so we can compare when options change */

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 26a6201fa61790e998eab6d962c66a9c696bf870..fb6b9d1741f0f6422c9a9c5f55870c4854f43fe8 100644 (file)
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -369,14 +369,17 @@ cleanup:
 bool
 send_push_request(struct context *c)
 {
-    const int max_push_requests = c->options.handshake_window / PUSH_REQUEST_INTERVAL;
-    if (++c->c2.n_sent_push_requests <= max_push_requests)
+    struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
+    struct key_state *ks = &session->key[KS_PRIMARY];
+
+    if (c->c2.push_request_timeout > now)
     {
         return send_control_channel_string(c, "PUSH_REQUEST", D_PUSH);
     }
     else
     {
-        msg(D_STREAM_ERRORS, "No reply from server after sending %d push requests", max_push_requests);
+        msg(D_STREAM_ERRORS, "No reply from server to push requests in %ds",
+            (int)(now - ks->established));
         c->sig->signal_received = SIGUSR1; /* SOFT-SIGUSR1 -- server-pushed connection reset */
         c->sig->signal_text = "no-push-reply";
         return false;