From patchwork Sat Feb 1 12:11:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4116 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:c520:b0:5e7:b9eb:58e8 with SMTP id jx32csp1201563mab; Sat, 1 Feb 2025 04:11:20 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUhCX22Hn01QWG6BKfhfYw5o0e9tbGDjP0bfECd3Uwac+50mq9cNAfX3IlONG5Mwwg3Fk29cPAVyTg=@openvpn.net X-Google-Smtp-Source: AGHT+IGGYLqPmVWm5TmVq9qL3oXIK6ijReHVk86yrmhJ3veR/kwVg6Hvp/+agYIgqRAtF5D8yM6A X-Received: by 2002:a05:6808:16a5:b0:3f1:d489:3d95 with SMTP id 5614622812f47-3f323a58129mr9863313b6e.17.1738411879969; Sat, 01 Feb 2025 04:11:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1738411879; cv=none; d=google.com; s=arc-20240605; b=Z1Ne9hJZa9Oi6u7YJejoF4r40NYVLxg0V0ZRVQZB/HgoHY/r25rWV++Kzekwjwg105 fFNtWo2LVYSEvt0C2BUIr3wSErlWTWopdXkAspcW/RDiBtzoFg6xgg6yhKhyqgQFncX0 0ikh+vktjmtR8NPR0sSUB3jWI6khI5Cr7EafqBmQs5qfgpmBPpLlxTSe59NSD4DPm8yE 7G2qigDZfJKCF/dVRE+JAha2t0N/wwBC+eFCh3v6PU3JCmqLiHqiek/hJJ5EVEW3kh+I YbFon/a2pEZzXcJmXZiXTpIXcElfT4ljCse5VXUqBnQMJ3B+LtrxmT+fl84PrIB2ib1I XWYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=GN/O5rfjkOWokaiFx68yDGCmMGQ7//ZNcX17IvU6sGA=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=gkVqLL6YoVdcfwa7GYrkLcQ1W6diPq6nd8lRx8wnPD9M4z271mK4wX4Y35VbcEMKfM GHy25wbQz+hRxJOKFol74GZvMbDrDUoRMi427GoOxIu9+9tybvDsjALP9Dcn8pWF0Gfc OEmJ4KSxEjo4+1U4ugxmd+QFKw/ZdWQjc0cZ/OGzCu8vQLMhx4RcY016hp0sG2BY0cWA h5A56doWCWwd6DRujxFKTlyHKak1XMa06EF5xb5bqfeoGt4eXr/DBpoGAg+2kNIu3jKz Xd4hH7zqfrlNIjqbvyN4NPOEKpU5zpnNgbHXvB1Bh+f0Mf8vyy5Rsq3usKN27hnPxPld yIDw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BmgYaSJu; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JEG80atf; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-726618afd0esi5468848a34.210.2025.02.01.04.11.19 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 01 Feb 2025 04:11:19 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=BmgYaSJu; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=JEG80atf; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1teCLD-0000Ul-1f; Sat, 01 Feb 2025 12:11:15 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1teCLA-0000UQ-DC for openvpn-devel@lists.sourceforge.net; Sat, 01 Feb 2025 12:11:12 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jKu5pYfVJ6ivgpjh9yzy1/NWwnFSIG8Kc6MUQiSg9cE=; b=BmgYaSJuKywycWx/MZmc2L6iKF WU8GfaCnkHsVV2usHyU5kqjF1+IvVLIkOJseajFs/754STn/leZ3+p6jfGMhqfWwkPfiA8fZp/uyy WY8cUzKk6rXsFXS0Ra3eHEBitsC62wwSb4fJH9LYCagNUqHct2t8ND/SP/ooA0e7jSUM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=jKu5pYfVJ6ivgpjh9yzy1/NWwnFSIG8Kc6MUQiSg9cE=; b=JEG80atfeSR2So69Wo7wROZ9a7 4yLqQVPI265pq5w1BHMVCWyu3elCVm/6v/ZTeolF322kOfZmDBEyiDBoXSvj+KdUEe2C4DTg7im47 rZz6ZTYmTt+SJXOM1eZfXrc+59/2+8/RCj7hPBHbSSowKkjkzcKaRhUrEUCUS+5X184k=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1teCL8-00055y-Cr for openvpn-devel@lists.sourceforge.net; Sat, 01 Feb 2025 12:11:12 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 511CB3lO027405 for ; Sat, 1 Feb 2025 13:11:03 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 511CB3m3027404 for openvpn-devel@lists.sourceforge.net; Sat, 1 Feb 2025 13:11:03 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sat, 1 Feb 2025 13:11:02 +0100 Message-ID: <20250201121102.27395-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov This doesn't matter for Linux and FreeBSD but matters for dco-win, where iroute subnet is mapped to a peer context, which means that peer has to be created before iroute is added. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-accredit.habeas.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1teCL8-00055y-Cr Subject: [Openvpn-devel] [PATCH v7] multi.c: add iroutes after dco peer is added X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1822856975473581762?= X-GMAIL-MSGID: =?utf-8?q?1822856975473581762?= From: Lev Stipakov This doesn't matter for Linux and FreeBSD but matters for dco-win, where iroute subnet is mapped to a peer context, which means that peer has to be created before iroute is added. Change-Id: I1cac0f036504c87205a3c97589a94a662cf79b99 Signed-off-by: Lev Stipakov Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/856 This mail reflects revision 7 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index ab49726..025871c 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2442,6 +2442,35 @@ ifconfig_constraint_network, ifconfig_constraint_netmask); } + /* set our client's VPN endpoint for status reporting purposes */ + mi->reporting_addr = mi->context.c2.push_ifconfig_local; + mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local; + + /* set context-level authentication flag */ + mi->context.c2.tls_multi->multi_state = CAS_CONNECT_DONE; + + /* Since dco-win maintains iroute routing table (subnet -> peer), + * peer must be added before iroutes. For other platforms it doesn't matter. */ + + /* authentication complete, calculate dynamic client specific options */ + if (!multi_client_set_protocol_options(&mi->context)) + { + mi->context.c2.tls_multi->multi_state = CAS_FAILED; + } + /* only continue if setting protocol options worked */ + else if (!multi_client_setup_dco_initial(m, mi, &gc)) + { + mi->context.c2.tls_multi->multi_state = CAS_FAILED; + } + /* Generate data channel keys only if setting protocol options + * and DCO initial setup has not failed */ + else if (!multi_client_generate_tls_keys(&mi->context)) + { + mi->context.c2.tls_multi->multi_state = CAS_FAILED; + } + + /* dco peer has been added, it is now safe for Windows to add iroutes */ + /* * For routed tunnels, set up internal route to endpoint * plus add all iroute routes. @@ -2489,30 +2518,6 @@ multi_instance_string(mi, false, &gc)); } - /* set our client's VPN endpoint for status reporting purposes */ - mi->reporting_addr = mi->context.c2.push_ifconfig_local; - mi->reporting_addr_ipv6 = mi->context.c2.push_ifconfig_ipv6_local; - - /* set context-level authentication flag */ - mi->context.c2.tls_multi->multi_state = CAS_CONNECT_DONE; - - /* authentication complete, calculate dynamic client specific options */ - if (!multi_client_set_protocol_options(&mi->context)) - { - mi->context.c2.tls_multi->multi_state = CAS_FAILED; - } - /* only continue if setting protocol options worked */ - else if (!multi_client_setup_dco_initial(m, mi, &gc)) - { - mi->context.c2.tls_multi->multi_state = CAS_FAILED; - } - /* Generate data channel keys only if setting protocol options - * and DCO initial setup has not failed */ - else if (!multi_client_generate_tls_keys(&mi->context)) - { - mi->context.c2.tls_multi->multi_state = CAS_FAILED; - } - /* send push reply if ready */ if (mi->context.c2.push_request_received) {