[Openvpn-devel,11/25] dco: split option parsing routines

Message ID	20220624083809.23487-12-a@unstable.cc
State	Changes Requested
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> From: Antonio Quartulli <a@unstable.cc> To: openvpn-devel@lists.sourceforge.net Date: Fri, 24 Jun 2022 10:37:55 +0200 Message-Id: <20220624083809.23487-12-a@unstable.cc> In-Reply-To: <20220624083809.23487-1-a@unstable.cc> References: <20220624083809.23487-1-a@unstable.cc> MIME-Version: 1.0 preview: DCO will try to install keys upon generating them, however, this happens when parsing pushed cipher options (due to NCP). For this reason we need to postpone parsing pushed cipher options to after the tunnel interface has been opened, otherwise we would have no DCO netdev object to operate on. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. Subject: [Openvpn-devel] [PATCH 11/25] dco: split option parsing routines Precedence: list Cc: Antonio Quartulli <a@unstable.cc> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	ovpn-dco: introduce data-channel offload support \| expand [Openvpn-devel,00/25] ovpn-dco: introduce data-channel offload support [Openvpn-devel,01/25] dco: introduce low-level code for handling ovpn-dco in the Linux kernel [Openvpn-devel,02/25] dco: add helper function to detect if DCO is enabled or not [Openvpn-devel,03/25] dco: use specific metric when installing routes [Openvpn-devel,04/25] dco: create DCO interface using SITNL [Openvpn-devel,05/25] dco: let open_tun_generic handle the DCO case [Openvpn-devel,06/25] dco: initialize context and save pointer in TLS object [Openvpn-devel,07/25] dco: add option check - disable DCO if conflict is detected [Openvpn-devel,08/25] dco: allow user to disable it at runtime [Openvpn-devel,09/25] dco: configure keys in DCO right after generating them [Openvpn-devel,10/25] dco: periodically check and possibly rotate/delete keys [Openvpn-devel,11/25] dco: split option parsing routines [Openvpn-devel,12/25] dco: check that pulled options are compatible [Openvpn-devel,13/25] dco: implement dco support for p2p/client code path [Openvpn-devel,14/25] dco: implement dco support for p2mp/server code path [Openvpn-devel,15/25] dco: add documentation for ovpn-dco-linux [Openvpn-devel,16/25] GitHub Actions: add Linux DCO build (on Ubuntu 20.04) [Openvpn-devel,17/25] tun: extract close_tun_handle into its own fucntion and print correct type [Openvpn-devel,18/25] dco: turn supported ciphers list into a function [Openvpn-devel,19/25] dco-win: implement GetOverlappedResultEx for mingw32 [Openvpn-devel,20/25] dco-win: add platform dependant check on incompatible options [Openvpn-devel,21/25] do_open_tun: restyle "can preserve TUN" check [Openvpn-devel,22/25] dco-win: introduce low-level code for handling ovpn-dco-win in Windows [Openvpn-devel,23/25] dco-win: implement ovpn-dco support in P2P Windows code path [Openvpn-devel,24/25] dco-win: add documentation to README.dco.md [Openvpn-devel,25/25] dco-win: update GH Actions config file

Message ID

20220624083809.23487-12-a@unstable.cc

State

Changes Requested

Headers

From: Antonio Quartulli <a@unstable.cc>
To: openvpn-devel@lists.sourceforge.net
Date: Fri, 24 Jun 2022 10:37:55 +0200
Message-Id: <20220624083809.23487-12-a@unstable.cc>
In-Reply-To: <20220624083809.23487-1-a@unstable.cc>
References: <20220624083809.23487-1-a@unstable.cc>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH 11/25] dco: split option parsing routines
Precedence: list
Cc: Antonio Quartulli <a@unstable.cc>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

ovpn-dco: introduce data-channel offload support | expand

Commit Message

Antonio Quartulli June 23, 2022, 10:37 p.m. UTC

DCO will try to install keys upon generating them, however, this happens
when parsing pushed cipher options (due to NCP).

For this reason we need to postpone parsing pushed cipher options to *after*
the tunnel interface has been opened, otherwise we would have no DCO netdev
object to operate on.

At the same time we split the parsing code, so that we can ensure that
the NEW_PEER call can happen after the received peer-id has been parsed
(it is required by all DCO API calls).

Signed-off-by: Antonio Quartulli <a@unstable.cc>
---
 src/openvpn/init.c  | 59 ++++++++++++++++++++++++++++-----------------
 src/openvpn/init.h  |  2 ++
 src/openvpn/multi.c |  7 ++++++
 3 files changed, 46 insertions(+), 22 deletions(-)

Comments

Arne Schwabe June 28, 2022, 4:29 a.m. UTC | #1

Am 24.06.22 um 10:37 schrieb Antonio Quartulli:
> +        if (!finish_options(c))
> +        {
> +            msg(D_TLS_ERRORS, "ERROR: Failed to finish option processing");
> +            return false;
> +        }

This error is a bit too generic for my taste. Can we make it more 
specific? Like "Failed to apply options when finalising tun setup" or 
something?

Arne

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 06911cd0..b0a4b252 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2068,14 +2068,6 @@  do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
                 return false;
             }
         }
-        else if (c->mode == MODE_POINT_TO_POINT)
-        {
-            if (!do_deferred_p2p_ncp(c))
-            {
-                msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
-                return false;
-            }
-        }
 
         /* if --up-delay specified, open tun, do ifconfig, and run up script now */
         if (c->options.up_delay || PULL_DEFINED(&c->options))
@@ -2102,6 +2094,22 @@  do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
             }
         }
 
+        if (!pulled_options && c->mode == MODE_POINT_TO_POINT)
+        {
+            if (!do_deferred_p2p_ncp(c))
+            {
+                msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options");
+                return false;
+            }
+        }
+
+        if (!finish_options(c))
+        {
+            msg(D_TLS_ERRORS, "ERROR: Failed to finish option processing");
+            return false;
+        }
+
+
         if (c->c2.did_open_tun)
         {
             c->c1.pulled_options_digest_save = c->c2.pulled_options_digest;
@@ -2307,23 +2315,30 @@  do_deferred_options(struct context *c, const unsigned int found)
         {
             return false;
         }
-        struct frame *frame_fragment = NULL;
+    }
+
+    return true;
+}
+
+bool
+finish_options(struct context *c)
+{
+    struct frame *frame_fragment = NULL;
 #ifdef ENABLE_FRAGMENT
-        if (c->options.ce.fragment)
-        {
-            frame_fragment = &c->c2.frame_fragment;
-        }
+    if (c->options.ce.fragment)
+    {
+        frame_fragment = &c->c2.frame_fragment;
+    }
 #endif
 
-        struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
-        if (!tls_session_update_crypto_params(c->c2.tls_multi, session,
-                                              &c->options, &c->c2.frame,
-                                              frame_fragment,
-                                              get_link_socket_info(c)))
-        {
-            msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
-            return false;
-        }
+    struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
+    if (!tls_session_update_crypto_params(c->c2.tls_multi, session,
+                                          &c->options, &c->c2.frame,
+                                          frame_fragment,
+                                          get_link_socket_info(c)))
+    {
+        msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options");
+        return false;
     }
 
     return true;
diff --git a/src/openvpn/init.h b/src/openvpn/init.h
index 2b8c2dcc..98e71d3a 100644
--- a/src/openvpn/init.h
+++ b/src/openvpn/init.h
@@ -97,6 +97,8 @@  void reset_coarse_timers(struct context *c);
 
 bool do_deferred_options(struct context *c, const unsigned int found);
 
+bool finish_options(struct context *c);
+
 void inherit_context_child(struct context *dest,
                            const struct context *src);
 
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index c72575ae..34ab90b4 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2405,6 +2405,13 @@  multi_client_connect_late_setup(struct multi_context *m,
     {
         mi->context.c2.tls_multi->multi_state = CAS_FAILED;
     }
+    /* Continue processing options only if authentication hasn't failed.
+     * Otherwise it does not make sense and we may operate on a non-configured
+     * client instance */
+    else
+    {
+        finish_options(&mi->context);
+    }
 
     /* send push reply if ready */
     if (mi->context.c2.push_request_received)

[Openvpn-devel,11/25] dco: split option parsing routines

Commit Message

Comments

Patch