From patchwork Thu Sep 8 23:10:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 2743 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.27.255.51]) by backend30.mail.ord1d.rsapps.net with LMTP id uOPyJWsDG2MqRwAAIUCqbw (envelope-from ) for ; Fri, 09 Sep 2022 05:12:11 -0400 Received: from proxy10.mail.iad3a.rsapps.net ([172.27.255.51]) by director9.mail.ord1d.rsapps.net with LMTP id CMfEJWsDG2NJGQAAalYnBA (envelope-from ) for ; Fri, 09 Sep 2022 05:12:11 -0400 Received: from smtp3.gate.iad3a ([172.27.255.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.iad3a.rsapps.net with LMTPS id oHnbHmsDG2N3GwAAnQ/bqA (envelope-from ) for ; Fri, 09 Sep 2022 05:12:11 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 7c4065f4-301f-11ed-aeef-525400af4d07-1-1 Received: from [216.105.38.7] ([216.105.38.7:54562] helo=lists.sourceforge.net) by smtp3.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 27/5C-28924-B630B136; Fri, 09 Sep 2022 05:12:11 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oWa2g-0008Vz-MA; Fri, 09 Sep 2022 09:11:18 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oWa2P-0008Q3-41 for openvpn-devel@lists.sourceforge.net; Fri, 09 Sep 2022 09:11:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HST8Ea+Fnyq7wMGELj3YZEKfL3flUpNwstLtW8vvHbg=; b=EXWOiAmi3Bl/Kxkk/aiZ0MzAIy 0HkEJVolJRv7IuP2mF4rCo0gmTfTXgS/AKNTAm5J+yHJDAACNOMV4khYoiYKYaci2nijFY7VlKqqH YhW7rV3165g52/5naBXg9bP4NGLvx0Sj0rKy/y7CzD+J73LQb8Op+10a4Kln3mSG2c1I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=HST8Ea+Fnyq7wMGELj3YZEKfL3flUpNwstLtW8vvHbg=; b=L Q9ZJ2+IOLxii4xVJHSXb+HHcLh14lyL+9R9YW2Ua5p9kU+rZLmbBaNUyoAf50FO/kTW31RNGu7yOr pRAmK27QkI3Her6/c35xkOVvfUix3JG8h9TQz5n8HxuuT34J8OWgSFWPTcyAcKa1XgbSFlQ8GIGbl sVcThMnQ7VYFule4=; Received: from mail-lj1-f178.google.com ([209.85.208.178]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1oWa2M-0007zp-KU for openvpn-devel@lists.sourceforge.net; Fri, 09 Sep 2022 09:11:00 +0000 Received: by mail-lj1-f178.google.com with SMTP id p5so1042568ljc.13 for ; Fri, 09 Sep 2022 02:10:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date; bh=HST8Ea+Fnyq7wMGELj3YZEKfL3flUpNwstLtW8vvHbg=; b=Pvwp9vrwEAnCdEYyCVTDXX044mkyVeeTyJpxrTw7YdEQr3pEtqsKW3vf7Wk2JvLNYJ IrZpBMDWO8DZ+HzVKKuNH7m0pgFbaUvaor0mzkLHy0rtTW8gYKXzxxzbiXJQAfs+Er8C 6cz01BT80UFxx8At88zR+OTJd5/lTZbeV0MfvCKAnYMtUJFASObZo780md42bkBykrlY KpyT1543qjNE+tKul0npf6M4M2gHtogCcdTwqwh5iJ20RSwvZldTbyBrx6SaB8tBN+bW Y0wguaEyedwASG4xYCamzCnYrprvvo4gOQZxWcg55LuI8FrM+GwwX0U5EmUrW+o8uJa4 y51w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=HST8Ea+Fnyq7wMGELj3YZEKfL3flUpNwstLtW8vvHbg=; b=WBjSpWggsWUC+AUVyt6mOFZPggZRrtVazJEBHd8zKBQsXU4jj+jdWVwiAaDGCy2VhS F9hNHwEyVUxdq2hRwLULMZcY+MdgDbrTA5WLoxxL+8hwYuv6Zz8KWAt76KafmqSR1TQ2 AdI1YmUjfeaH+uV4x7lDrSIrWgIugopeOYs0jmK4iCEJGpCAMoO5e2xDNXwpl4PWBvDy rcqWXCtNTixAewBf7PWc6U/0okeFUx418cQ0xfqY9N5RpcOAcdnU2L3GM20g29sKbfqA OytMQ2UXNkrs7a3Hm2d9hKnbZDSeuod1IGBJPWsdYOLCZ6d9KBOruWkERMtnylTA1xYj GyOQ== X-Gm-Message-State: ACgBeo00s3P2WAQodfF7LltfACM6gGAo8dzCmMYS4MzvuiArSZmAAycg ecvlNvN1LvUrH8Yjlb098HFKOUEZHqgJdA== X-Google-Smtp-Source: AA6agR4RqaPWlqQ+qolF86GhQQCLmQqWqPnjklWQ8ligqBaIWJjFGwwxUkVPXpAcQj0F+uZOCi+Rdg== X-Received: by 2002:a2e:a547:0:b0:25f:eb8f:99dc with SMTP id e7-20020a2ea547000000b0025feb8f99dcmr3705242ljn.245.1662714651568; Fri, 09 Sep 2022 02:10:51 -0700 (PDT) Received: from LAPTOP-4L3N7KFS.localdomain (nat1.panoulu.net. [185.38.2.1]) by smtp.gmail.com with ESMTPSA id b17-20020ac247f1000000b00498f7be15ccsm5319lfp.77.2022.09.09.02.10.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Sep 2022 02:10:51 -0700 (PDT) From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Fri, 9 Sep 2022 12:10:37 +0300 Message-Id: <20220909091037.553-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov Following options are set on startup and cannot be changed later: - dev - dev-type - connections list - mode - topology Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.178 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.178 listed in wl.mailspike.net] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1oWa2M-0007zp-KU Subject: [Openvpn-devel] [PATCH] dco.c: check certain options only on startup X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Lev Stipakov Following options are set on startup and cannot be changed later: - dev - dev-type - connections list - mode - topology Same for system-wide availability of dco. dco_check_option_conflict(), where those options were checked, is also called in server mode when client is connected. Move those checks to dco_check_startup_option_conflict() which is only called at startup. Since we moved dco_enabled() check to startup, dco_check_option_conflict() might now trigger exit on Windows if system lacks chachapoly support. Since dco checks only need to be performed for dco, wrap those into "if (dco_enabled) {}". Signed-off-by: Lev Stipakov --- src/openvpn/dco.c | 145 +++++++++++++++++++++--------------------- src/openvpn/options.c | 7 +- 2 files changed, 78 insertions(+), 74 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 075820c3..a90b6bc7 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -222,9 +222,75 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi) } } +static bool +dco_check_option_conflict_ce(const struct connection_entry *ce, int msglevel) +{ + if (ce->fragment) + { + msg(msglevel, "Note: --fragment disables data channel offload."); + return false; + } + + if (ce->http_proxy_options) + { + msg(msglevel, "Note: --http-proxy disables data channel offload."); + return false; + } + + if (ce->socks_proxy_server) + { + msg(msglevel, "Note: --socks-proxy disables data channel offload."); + return false; + } + +#if defined(TARGET_FREEBSD) + if (!proto_is_udp(ce->proto)) + { + msg(msglevel, "NOTE: TCP transport disables data channel offload on FreeBSD."); + return false; + } +#endif + + return true; +} + bool dco_check_startup_option_conflict(int msglevel, const struct options *o) { + /* check if DCO was already disabled by the user or if no dev name was + * specified at all. In the latter case, later logic will most likely stop + * OpenVPN, so no need to print any message here. + */ + if (!dco_enabled(o) || !o->dev) + { + return false; + } + + if (dev_type_enum(o->dev, o->dev_type) != DEV_TYPE_TUN) + { + msg(msglevel, "Note: dev-type not tun, disabling data channel offload."); + return false; + } + + if (o->connection_list) + { + const struct connection_list *l = o->connection_list; + for (int i = 0; i < l->len; ++i) + { + if (!dco_check_option_conflict_ce(l->array[i], msglevel)) + { + return false; + } + } + } + else + { + if (!dco_check_option_conflict_ce(&o->ce, msglevel)) + { + return false; + } + } + #if defined(_WIN32) if (o->mode == MODE_SERVER) { @@ -281,59 +347,22 @@ dco_check_startup_option_conflict(int msglevel, const struct options *o) } } #endif /* if defined(HAVE_LIBCAPNG) */ - return true; -} -static bool -dco_check_option_conflict_ce(const struct connection_entry *ce, int msglevel) -{ - if (ce->fragment) - { - msg(msglevel, "Note: --fragment disables data channel offload."); - return false; - } - - if (ce->http_proxy_options) - { - msg(msglevel, "Note: --http-proxy disables data channel offload."); - return false; - } - - if (ce->socks_proxy_server) - { - msg(msglevel, "Note: --socks-proxy disables data channel offload."); - return false; - } - -#if defined(TARGET_FREEBSD) - if (!proto_is_udp(ce->proto)) + if (o->mode == MODE_SERVER && o->topology != TOP_SUBNET) { - msg(msglevel, "NOTE: TCP transport disables data channel offload on FreeBSD."); + msg(msglevel, "Note: NOT using '--topology subnet' disables data channel offload."); return false; } -#endif - return true; + /* now that all options have been confirmed to be supported, check + * if DCO is truly available on the system + */ + return dco_available(msglevel); } bool dco_check_option_conflict(int msglevel, const struct options *o) { - /* check if DCO was already disabled by the user or if no dev name was - * specified at all. In the latter case, later logic will most likely stop - * OpenVPN, so no need to print any message here. - */ - if (!dco_enabled(o) || !o->dev) - { - return false; - } - - if (dev_type_enum(o->dev, o->dev_type) != DEV_TYPE_TUN) - { - msg(msglevel, "Note: dev-type not tun, disabling data channel offload."); - return false; - } - /* At this point the ciphers have already been normalised */ if (o->enable_ncp_fallback && !tls_item_in_cipher_list(o->ciphername, dco_get_supported_ciphers())) @@ -343,31 +372,6 @@ dco_check_option_conflict(int msglevel, const struct options *o) return false; } - if (o->connection_list) - { - const struct connection_list *l = o->connection_list; - for (int i = 0; i < l->len; ++i) - { - if (!dco_check_option_conflict_ce(l->array[i], msglevel)) - { - return false; - } - } - } - else - { - if (!dco_check_option_conflict_ce(&o->ce, msglevel)) - { - return false; - } - } - - if (o->mode == MODE_SERVER && o->topology != TOP_SUBNET) - { - msg(msglevel, "Note: NOT using '--topology subnet' disables data channel offload."); - return false; - } - #if defined(USE_COMP) if (o->comp.alg != COMP_ALG_UNDEF || o->comp.flags & COMP_F_ALLOW_ASYM @@ -400,10 +404,7 @@ dco_check_option_conflict(int msglevel, const struct options *o) } gc_free(&gc); - /* now that all options have been confirmed to be supported, check - * if DCO is truly available on the system - */ - return dco_available(msglevel); + return true; } bool diff --git a/src/openvpn/options.c b/src/openvpn/options.c index a296086d..66cfd191 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3691,8 +3691,11 @@ options_postprocess_mutate(struct options *o, struct env_set *es) /* in Windows we have no 'fallback to non-DCO' strategy, so if a conflicting * option is found, we simply bail out by means of M_USAGE */ - dco_check_option_conflict(M_USAGE, o); - dco_check_startup_option_conflict(M_USAGE, o); + if (dco_enabled(o)) + { + dco_check_option_conflict(M_USAGE, o); + dco_check_startup_option_conflict(M_USAGE, o); + } #endif if (dco_enabled(o) && o->dev_node)