From patchwork Wed Aug 17 23:26:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2694 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.51]) by backend30.mail.ord1d.rsapps.net with LMTP id KKoJGtsl/mKyNQAAIUCqbw (envelope-from ) for ; Thu, 18 Aug 2022 07:43:23 -0400 Received: from proxy6.mail.iad3a.rsapps.net ([172.27.255.51]) by director12.mail.ord1d.rsapps.net with LMTP id gFDeGdsl/mJwbAAAIasKDg (envelope-from ) for ; Thu, 18 Aug 2022 07:43:23 -0400 Received: from smtp5.gate.iad3a ([172.27.255.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.iad3a.rsapps.net with LMTPS id yFlDE9sl/mJcCAAA8udqhg (envelope-from ) for ; Thu, 18 Aug 2022 07:43:23 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: patchwork@openvpn.net X-Originating-Ip: [192.26.174.232] Authentication-Results: smtp5.gate.iad3a.rsapps.net; iprev=pass policy.iprev="192.26.174.232"; spf=pass smtp.mailfrom="arne@rfc2549.org" smtp.helo="mail.blinkt.de"; dkim=none (message not signed) header.d=none; dmarc=fail (p=none; dis=none) header.from=unstable.cc X-Suspicious-Flag: NO X-Classification-ID: f612a068-1eea-11ed-92a6-525400de824c-1-1 Received: from [192.26.174.232] ([192.26.174.232:28190] helo=mail.blinkt.de) by smtp5.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 60/DA-04854-AD52EF26; Thu, 18 Aug 2022 07:43:22 -0400 Received: from [195.70.183.100] (helo=[192.168.12.111]) by mail.blinkt.de with esmtpsa (TLS1.3) tls TLS_AES_128_GCM_SHA256 (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oOdvl-0000V7-HJ for patchwork@openvpn.net; Thu, 18 Aug 2022 13:43:21 +0200 Resent-From: Arne Schwabe Resent-To: patchwork@openvpn.net Resent-Date: Thu, 18 Aug 2022 13:43:20 +0200 Resent-Message-ID: Received: from mail.blinkt.de ([unix socket]) by mail.blinkt.de (Cyrus 3.4.4) with LMTPA; Thu, 18 Aug 2022 11:28:48 +0200 X-Cyrus-Session-Id: mail.blinkt.de-1660814928-99314-2-13292495242601853569 X-Sieve: CMU Sieve 3.0 Received: from lists.sourceforge.net ([216.105.38.7]) by mail.blinkt.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95 (FreeBSD)) (envelope-from ) id 1oObpW-000Ppn-Ra for arne@rfc2549.org; Thu, 18 Aug 2022 11:28:47 +0200 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oOboG-0007MI-T9; Thu, 18 Aug 2022 09:27:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oObnw-0007LI-TO for openvpn-devel@lists.sourceforge.net; Thu, 18 Aug 2022 09:27:08 +0000 Received: from wilbur.contactoffice.com ([212.3.242.68]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oObnt-007geU-ER for openvpn-devel@lists.sourceforge.net; Thu, 18 Aug 2022 09:27:08 +0000 Received: from smtpauth2.co-bxl (smtpauth2.co-bxl [10.2.0.24]) by wilbur.contactoffice.com (Postfix) with ESMTP id 1E2DB430C; Thu, 18 Aug 2022 11:26:59 +0200 (CEST) Received: by smtp.mailfence.com with ESMTPSA ; Thu, 18 Aug 2022 11:26:55 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Thu, 18 Aug 2022 11:26:38 +0200 Message-Id: <20220818092638.189632-1-a@unstable.cc> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220813204224.22576-2-a@unstable.cc> References: MIME-Version: 1.0 X-ContactOffice-Account: com:375058688 X-Headers-End: 1oObnt-007geU-ER Subject: [Openvpn-devel] [PATCH v102i 2/7] dco-win: check for incompatible options X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov , Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-Spam-Bar: + X-getmail-retrieved-from-mailbox: Inbox At the moment dco-win doesn't support --persist-tun and --server, so check for these options at startup time. Signed-off-by: Antonio Quartulli Signed-off-by: Lev Stipakov --- Changes from v101: * rebased * remove call to dco_check_option_ from verify() and reuse invocation that was already implemented for linux/freebsd in mutate_ce() * hide log level to use in case of option check failure inside dco_win/linux/freebsd.h Changes from v100: * improved commit title/message --- src/openvpn/dco.c | 17 +++++++++++++++-- src/openvpn/dco_freebsd.h | 3 +++ src/openvpn/dco_linux.h | 3 +++ src/openvpn/dco_win.h | 5 +++++ src/openvpn/options.c | 6 ++---- 5 files changed, 28 insertions(+), 6 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 757ac19b..0aeecc54 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -225,7 +225,20 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) bool dco_check_startup_option_conflict(int msglevel, const struct options *o) { -#if defined(TARGET_LINUX) +#if defined(_WIN32) + if (o->mode == MODE_SERVER) + { + msg(msglevel, "Only client and p2p data channel offload is supported " + "with ovpn-dco-win."); + return false; + } + + if (o->persist_tun) + { + msg(msglevel, "--persist-tun is not supported with ovpn-dco-win."); + return false; + } +#elif defined(TARGET_LINUX) /* if the device name is fixed, we need to check if an interface with this * name already exists. IF it does, it must be a DCO interface, otherwise * DCO has to be disabled in order to continue. @@ -250,7 +263,7 @@ dco_check_startup_option_conflict(int msglevel, const struct options *o) strerror(-ret), ret); } } -#endif /* if defined(TARGET_LINUX) */ +#endif /* if defined(_WIN32) */ #if defined(HAVE_LIBCAPNG) /* DCO can't operate without CAP_NET_ADMIN. To retain it when switching user diff --git a/src/openvpn/dco_freebsd.h b/src/openvpn/dco_freebsd.h index 3594f229..52ba0405 100644 --- a/src/openvpn/dco_freebsd.h +++ b/src/openvpn/dco_freebsd.h @@ -27,6 +27,9 @@ #include "ovpn_dco_freebsd.h" +/* define to what log level we print when a conflicting option is found */ +#define DCO_CHECK_OPTION_LEVEL D_DCO + typedef enum ovpn_key_slot dco_key_slot_t; typedef enum ovpn_key_cipher dco_cipher_t; diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h index 416ea30a..7b7a9ca5 100644 --- a/src/openvpn/dco_linux.h +++ b/src/openvpn/dco_linux.h @@ -31,6 +31,9 @@ #include #include +/* define to what log level we print when a conflicting option is found */ +#define DCO_CHECK_OPTION_LEVEL D_DCO + typedef enum ovpn_key_slot dco_key_slot_t; typedef enum ovpn_cipher_alg dco_cipher_t; diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h index 348fc568..af959cd6 100644 --- a/src/openvpn/dco_win.h +++ b/src/openvpn/dco_win.h @@ -27,6 +27,11 @@ #include "buffer.h" #include "ovpn_dco_win.h" +/* define to what log level we print when a conflicting option is found. + * On windows we can't fallback to non-DCO so we bail out with M_USAGE + */ +#define DCO_CHECK_OPTION_LEVEL M_USAGE + typedef OVPN_KEY_SLOT dco_key_slot_t; typedef OVPN_CIPHER_ALG dco_cipher_t; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2415c1a8..12aee489 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3670,10 +3670,8 @@ options_postprocess_mutate(struct options *o, struct env_set *es) } /* check if any option should force disabling DCO */ -#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) - o->tuntap_options.disable_dco = !dco_check_option_conflict(D_DCO, o) - || !dco_check_startup_option_conflict(D_DCO, o); -#endif + o->tuntap_options.disable_dco = !dco_check_option_conflict(DCO_CHECK_OPTION_LEVEL, o) + || !dco_check_startup_option_conflict(DCO_CHECK_OPTION_LEVEL, o); if (dco_enabled(o) && o->dev_node) {