From patchwork Thu Jul 28 09:47:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2613 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4JScDAHo4mK/SQAAIUCqbw (envelope-from ) for ; Thu, 28 Jul 2022 15:48:17 -0400 Received: from proxy12.mail.iad3b.rsapps.net ([172.31.255.6]) by director10.mail.ord1d.rsapps.net with LMTP id IP/ZCwHo4mLALAAApN4f7A (envelope-from ) for ; Thu, 28 Jul 2022 15:48:17 -0400 Received: from smtp21.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.iad3b.rsapps.net with LMTPS id +BJdBgHo4mKbZgAAEsW3lA (envelope-from ) for ; Thu, 28 Jul 2022 15:48:17 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp21.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 38aefbd0-0eae-11ed-ae54-525400cdc90a-1-1 Received: from [216.105.38.7] ([216.105.38.7:58338] helo=lists.sourceforge.net) by smtp21.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 57/27-09126-008E2E26; Thu, 28 Jul 2022 15:48:16 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1oH9TW-00029L-7e; Thu, 28 Jul 2022 19:47:14 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oH9TV-00029F-Pf for openvpn-devel@lists.sourceforge.net; Thu, 28 Jul 2022 19:47:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=YeZ0OP0Xoj9qB5vArRMRZi/2uBa0ws6eg8RW46x6vso=; b=TG/TvzSBetplG0OnX7Uyk1igOA hwINjZWMnYejqgnstPhU4pxEC/vk532EZo3ZToTiFUxdC/lKlzpKEjoW/4/fxPC3VmZd1uIS9nWSo wXPwJGpzOi07JZBy/+Zp0yDQLhq62CpA+hYNYkAM5VOeewDLPgRcFnHfxT3J7as6kPnU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=YeZ0OP0Xoj9qB5vArRMRZi/2uBa0ws6eg8RW46x6vso=; b=mMkme1S0P3ZZkC4udq4qAx534P sWK/9drGMzqZX92LmalgPJd7N8wRnwry62n4+oQiJhx2lE5J6hQ8KPsvptZexkFO5yDU1tsqGmLWJ M+6lyjx7aYWEwHXPh6aEQkK//ZsNhQKpL7Ff94Ehgn+j0jI7zZAI5N5tEAOE/Pbl/c1A=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1oH9TU-0000n2-2K for openvpn-devel@lists.sourceforge.net; Thu, 28 Jul 2022 19:47:13 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Thu, 28 Jul 2022 21:47:33 +0200 Message-Id: <20220728194733.27721-1-a@unstable.cc> In-Reply-To: <20220624083809.23487-12-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: DCO will try to install keys upon generating them, however, this happens when parsing pushed cipher options (due to NCP). For this reason we need to postpone parsing pushed cipher options to *after* the tunnel interface has been opened, otherwise we would have no DCO netdev object to operate on. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1oH9TU-0000n2-2K Subject: [Openvpn-devel] [PATCH v2 11/25] dco: split option parsing routines X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox DCO will try to install keys upon generating them, however, this happens when parsing pushed cipher options (due to NCP). For this reason we need to postpone parsing pushed cipher options to *after* the tunnel interface has been opened, otherwise we would have no DCO netdev object to operate on. At the same time we split the parsing code, so that we can ensure that the NEW_PEER call can happen after the received peer-id has been parsed (it is required by all DCO API calls). Signed-off-by: Antonio Quartulli --- Changes from v1: * removed error message in case of failure of finish_options(). The latter already warns the user about the failure - no need to print another generic message. --- src/openvpn/init.c | 57 ++++++++++++++++++++++++++++----------------- src/openvpn/init.h | 2 ++ src/openvpn/multi.c | 7 ++++++ 3 files changed, 44 insertions(+), 22 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 338d797b..db42d540 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2093,14 +2093,6 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) return false; } } - else if (c->mode == MODE_POINT_TO_POINT) - { - if (!do_deferred_p2p_ncp(c)) - { - msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options"); - return false; - } - } /* if --up-delay specified, open tun, do ifconfig, and run up script now */ if (c->options.up_delay || PULL_DEFINED(&c->options)) @@ -2127,6 +2119,20 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) } } + if (!pulled_options && c->mode == MODE_POINT_TO_POINT) + { + if (!do_deferred_p2p_ncp(c)) + { + msg(D_TLS_ERRORS, "ERROR: Failed to apply P2P negotiated protocol options"); + return false; + } + } + + if (!finish_options(c)) + { + return false; + } + if (c->c2.did_open_tun) { c->c1.pulled_options_digest_save = c->c2.pulled_options_digest; @@ -2332,23 +2338,30 @@ do_deferred_options(struct context *c, const unsigned int found) { return false; } - struct frame *frame_fragment = NULL; + } + + return true; +} + +bool +finish_options(struct context *c) +{ + struct frame *frame_fragment = NULL; #ifdef ENABLE_FRAGMENT - if (c->options.ce.fragment) - { - frame_fragment = &c->c2.frame_fragment; - } + if (c->options.ce.fragment) + { + frame_fragment = &c->c2.frame_fragment; + } #endif - struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - if (!tls_session_update_crypto_params(c->c2.tls_multi, session, - &c->options, &c->c2.frame, - frame_fragment, - get_link_socket_info(c))) - { - msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); - return false; - } + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + if (!tls_session_update_crypto_params(c->c2.tls_multi, session, + &c->options, &c->c2.frame, + frame_fragment, + get_link_socket_info(c))) + { + msg(D_TLS_ERRORS, "OPTIONS ERROR: failed to import crypto options"); + return false; } return true; diff --git a/src/openvpn/init.h b/src/openvpn/init.h index 5f412a33..9389e0db 100644 --- a/src/openvpn/init.h +++ b/src/openvpn/init.h @@ -97,6 +97,8 @@ void reset_coarse_timers(struct context *c); bool do_deferred_options(struct context *c, const unsigned int found); +bool finish_options(struct context *c); + void inherit_context_child(struct context *dest, const struct context *src); diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index c72575ae..34ab90b4 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2405,6 +2405,13 @@ multi_client_connect_late_setup(struct multi_context *m, { mi->context.c2.tls_multi->multi_state = CAS_FAILED; } + /* Continue processing options only if authentication hasn't failed. + * Otherwise it does not make sense and we may operate on a non-configured + * client instance */ + else + { + finish_options(&mi->context); + } /* send push reply if ready */ if (mi->context.c2.push_request_received) From patchwork Thu Jul 28 09:55:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2614 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id eIyLFbnp4mJRVwAAIUCqbw (envelope-from ) for ; Thu, 28 Jul 2022 15:55:37 -0400 Received: from proxy10.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id 8NU9Fbnp4mJ8LwAApN4f7A (envelope-from ) for ; Thu, 28 Jul 2022 15:55:37 -0400 Received: from smtp33.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.ord1d.rsapps.net with LMTPS id gLzqFLnp4mLDCgAAfSg8FQ (envelope-from ) for ; Thu, 28 Jul 2022 15:55:37 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp33.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 3f6cb894-0eaf-11ed-92fe-525400041ef2-1-1 Received: from [216.105.38.7] ([216.105.38.7:54884] helo=lists.sourceforge.net) by smtp33.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 52/93-13190-8B9E2E26; Thu, 28 Jul 2022 15:55:37 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1oH9ad-0001Pp-Jo; Thu, 28 Jul 2022 19:54:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oH9ab-0001Pi-Qp for openvpn-devel@lists.sourceforge.net; Thu, 28 Jul 2022 19:54:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=p1T6V4EI8xvfzi5Z90p0p0DP2l0S4wVDzf5WhiO3Myc=; b=XTTI082Nhq05umeKOYcbmawzmE oG9BkHJAvZS/R61M5+WSCypwxQ6FW6rv/kX7ZudYsQY8X8Vyy8dfCFfqQl62FbkESMgEvyDxvFZJw gCEIjJ96xfRBBIu3HX9SxhcHxSGCVeaaeBRiSHeocVrm6ejmfzANszO3oBxUGFajPrJE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=p1T6V4EI8xvfzi5Z90p0p0DP2l0S4wVDzf5WhiO3Myc=; b=kHd+yYnsYRb0Tt4TEXowQHCyrn vcTIQz3YDSJCgHJib4caDIEU1Jc8lggu/quapCWBuQvJ4/s/GbiBQWuUtwj5TKJx0MxWlEzrQZ/q7 eZTwR2pA+T/iGBjSxHLnDQFtlOEbyZrexlTKqNX8g82mdGt/tVT/y5jt2xhW/66bBpzI=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1oH9ab-00DIaW-4X for openvpn-devel@lists.sourceforge.net; Thu, 28 Jul 2022 19:54:34 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Thu, 28 Jul 2022 21:55:01 +0200 Message-Id: <20220728195501.3253-1-a@unstable.cc> In-Reply-To: <20220624083809.23487-15-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This change introduces ovpn-dco support along the p2mp/server code path. Some code seems to be duplicate of the p2p version, but details are different, so it couldn't be shared. Signed-off-by: Antonio Quartulli --- Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1oH9ab-00DIaW-4X Subject: [Openvpn-devel] [PATCH v2 14/25] dco: implement dco support for p2mp/server code path X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This change introduces ovpn-dco support along the p2mp/server code path. Some code seems to be duplicate of the p2p version, but details are different, so it couldn't be shared. Signed-off-by: Antonio Quartulli Acked-by: Heiko Hund --- Changes from v1: * fix if condition P_DATA_V2 -> P_DATA_V1 * fix unknown reason string src/openvpn/dco.c | 1 + src/openvpn/dco.h | 49 ++++++++++ src/openvpn/mtcp.c | 59 +++++++++--- src/openvpn/mudp.c | 13 +++ src/openvpn/multi.c | 216 +++++++++++++++++++++++++++++++++++--------- src/openvpn/multi.h | 14 ++- 6 files changed, 296 insertions(+), 56 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index b5717a77..633dd7fd 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -36,6 +36,7 @@ #include "crypto.h" #include "dco.h" #include "errlevel.h" +#include "multi.h" #include "networking.h" #include "openvpn.h" #include "options.h" diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index 602dafb7..72569083 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -37,10 +37,14 @@ struct event_set; struct key2; struct key_state; +struct multi_context; +struct multi_instance; +struct mroute_addr; struct options; struct tls_multi; struct tuntap; +#define DCO_IROUTE_METRIC 100 #define DCO_DEFAULT_METRIC 200 #if defined(ENABLE_DCO) @@ -181,6 +185,34 @@ int dco_set_peer(dco_context_t *dco, unsigned int peerid, */ void dco_remove_peer(struct context *c); +/** + * Install a new peer in DCO - to be called by a SERVER instance + * + * @param m the server context + * @param mi the client instance + * @return 0 on success or a negative error code otherwise + */ +int dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi); + +/** + * Install an iroute in DCO, which means adding a route to the system routing + * table. To be called by a SERVER instance only. + * + * @param m the server context + * @param mi the client instance acting as nexthop for the route + * @param addr the route to add + */ +void dco_install_iroute(struct multi_context *m, struct multi_instance *mi, + struct mroute_addr *addr); + +/** + * Remove all routes added through the specified client + * + * @param m the server context + * @param mi the client instance for which routes have to be removed + */ +void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi); + #else /* if defined(ENABLE_DCO) */ typedef void *dco_context_t; @@ -271,5 +303,22 @@ dco_remove_peer(struct context *c) { } +static inline bool +dco_multi_add_new_peer(struct multi_context *m, struct multi_instance *mi) +{ + return true; +} + +static inline void +dco_install_iroute(struct multi_context *m, struct multi_instance *mi, + struct mroute_addr *addr) +{ +} + +static inline void +dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi) +{ +} + #endif /* defined(ENABLE_DCO) */ #endif /* ifndef DCO_H */ diff --git a/src/openvpn/mtcp.c b/src/openvpn/mtcp.c index b3c153fe..eb88a56a 100644 --- a/src/openvpn/mtcp.c +++ b/src/openvpn/mtcp.c @@ -61,6 +61,7 @@ #define MTCP_SIG ((void *)3) /* Only on Windows */ #define MTCP_MANAGEMENT ((void *)4) #define MTCP_FILE_CLOSE_WRITE ((void *)5) +#define MTCP_DCO ((void *)6) #define MTCP_N ((void *)16) /* upper bound on MTCP_x */ @@ -131,6 +132,8 @@ multi_create_instance_tcp(struct multi_context *m) const uint32_t hv = hash_value(hash, &mi->real); struct hash_bucket *bucket = hash_bucket(hash, hv); + multi_assign_peer_id(m, mi); + he = hash_lookup_fast(hash, bucket, &mi->real, hv); if (he) @@ -238,6 +241,7 @@ multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi if (ls && mi->socket_set_called) { event_del(mtcp->es, socket_event_handle(ls)); + mi->socket_set_called = false; } mtcp->n_esr = 0; } @@ -279,6 +283,9 @@ multi_tcp_wait(const struct context *c, } #endif tun_set(c->c1.tuntap, mtcp->es, EVENT_READ, MTCP_TUN, persistent); +#if defined(TARGET_LINUX) + dco_event_set(&c->c1.tuntap->dco, mtcp->es, MTCP_DCO); +#endif #ifdef ENABLE_MANAGEMENT if (management) @@ -395,6 +402,18 @@ multi_tcp_wait_lite(struct multi_context *m, struct multi_instance *mi, const in tv_clear(&c->c2.timeval); /* ZERO-TIMEOUT */ + if (mi && mi->context.c2.link_socket->info.dco_installed) + { + /* If we got a socket that has been handed over to the kernel + * we must not call the normal socket function to figure out + * if it is readable or writable */ + /* Assert that we only have the DCO exptected flags */ + ASSERT(action & (TA_SOCKET_READ | TA_SOCKET_WRITE)); + + /* We are always ready! */ + return action; + } + switch (action) { case TA_TUN_READ: @@ -518,7 +537,10 @@ multi_tcp_dispatch(struct multi_context *m, struct multi_instance *mi, const int case TA_INITIAL: ASSERT(mi); - multi_tcp_set_global_rw_flags(m, mi); + if (!mi->context.c2.link_socket->info.dco_installed) + { + multi_tcp_set_global_rw_flags(m, mi); + } multi_process_post(m, mi, mpp_flags); break; @@ -568,7 +590,10 @@ multi_tcp_post(struct multi_context *m, struct multi_instance *mi, const int act } else { - multi_tcp_set_global_rw_flags(m, mi); + if (!c->c2.link_socket->info.dco_installed) + { + multi_tcp_set_global_rw_flags(m, mi); + } } break; @@ -625,23 +650,22 @@ multi_tcp_action(struct multi_context *m, struct multi_instance *mi, int action, /* * Dispatch the action */ - { - struct multi_instance *touched = multi_tcp_dispatch(m, mi, action); + struct multi_instance *touched = multi_tcp_dispatch(m, mi, action); - /* - * Signal received or TCP connection - * reset by peer? - */ - if (touched && IS_SIG(&touched->context)) + /* + * Signal received or TCP connection + * reset by peer? + */ + if (touched && IS_SIG(&touched->context)) + { + if (mi == touched) { - if (mi == touched) - { - mi = NULL; - } - multi_close_instance_on_signal(m, touched); + mi = NULL; } + multi_close_instance_on_signal(m, touched); } + /* * If dispatch produced any pending output * for a particular instance, point to @@ -739,6 +763,13 @@ multi_tcp_process_io(struct multi_context *m) multi_tcp_action(m, mi, TA_INITIAL, false); } } +#if defined(ENABLE_DCO) && defined(TARGET_LINUX) + /* incoming data on DCO? */ + else if (e->arg == MTCP_DCO) + { + multi_process_incoming_dco(m); + } +#endif /* signal received? */ else if (e->arg == MTCP_SIG) { diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 0cbca1a9..ddb1efc9 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -381,6 +381,19 @@ multi_process_io_udp(struct multi_context *m) multi_process_file_closed(m, mpp_flags); } #endif +#if defined(ENABLE_DCO) && defined(TARGET_LINUX) + else if (status & DCO_READ) + { + if (!IS_SIG(&m->top)) + { + bool ret = true; + while (ret) + { + ret = multi_process_incoming_dco(m); + } + } + } +#endif } /* diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 34ab90b4..4b671bb3 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -51,6 +51,7 @@ #include "crypto_backend.h" #include "ssl_util.h" +#include "dco.h" /*#define MULTI_DEBUG_EVENT_LOOP*/ @@ -519,6 +520,9 @@ multi_del_iroutes(struct multi_context *m, { const struct iroute *ir; const struct iroute_ipv6 *ir6; + + dco_delete_iroutes(m, mi); + if (TUNNEL_TYPE(mi->context.c1.tuntap) == DEV_TYPE_TUN) { for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next) @@ -1224,16 +1228,20 @@ multi_learn_in_addr_t(struct multi_context *m, addr.netbits = (uint8_t) netbits; } - { - struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0); + struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0); #ifdef ENABLE_MANAGEMENT - if (management && owner) - { - management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary); - } + if (management && owner) + { + management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary); + } #endif - return owner; + if (!primary) + { + /* We do not want to install IP -> IP dev ovpn-dco0 */ + dco_install_iroute(m, mi, &addr); } + + return owner; } static struct multi_instance * @@ -1257,16 +1265,20 @@ multi_learn_in6_addr(struct multi_context *m, mroute_addr_mask_host_bits( &addr ); } - { - struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0); + struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0); #ifdef ENABLE_MANAGEMENT - if (management && owner) - { - management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary); - } + if (management && owner) + { + management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary); + } #endif - return owner; + if (!primary) + { + /* We do not want to install IP -> IP dev ovpn-dco0 */ + dco_install_iroute(m, mi, &addr); } + + return owner; } /* @@ -1765,6 +1777,15 @@ multi_client_set_protocol_options(struct context *c) tls_multi->use_peer_id = true; o->use_peer_id = true; } + else if (dco_enabled(o)) + { + msg(M_INFO, "Client does not support DATA_V2. Data channel offloaing " + "requires DATA_V2. Dropping client."); + auth_set_client_reason(tls_multi, "Data channel negotiation " + "failed (missing DATA_V2)"); + return false; + } + if (proto & IV_PROTO_REQUEST_PUSH) { c->c2.push_request_received = true; @@ -2276,8 +2297,9 @@ cleanup: * Generates the data channel keys */ static bool -multi_client_generate_tls_keys(struct context *c) +multi_client_generate_tls_keys(struct multi_context *m, struct multi_instance *mi) { + struct context *c = &mi->context; struct frame *frame_fragment = NULL; #ifdef ENABLE_FRAGMENT if (c->options.ce.fragment) @@ -2285,6 +2307,17 @@ multi_client_generate_tls_keys(struct context *c) frame_fragment = &c->c2.frame_fragment; } #endif + + if (dco_enabled(&c->options)) + { + int ret = dco_multi_add_new_peer(m, mi); + if (ret < 0) + { + msg(D_DCO, "Cannot add peer to DCO: %s", strerror(-ret)); + return false; + } + } + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; if (!tls_session_update_crypto_params(c->c2.tls_multi, session, &c->options, &c->c2.frame, frame_fragment, @@ -2401,7 +2434,7 @@ multi_client_connect_late_setup(struct multi_context *m, } /* Generate data channel keys only if setting protocol options * has not failed */ - else if (!multi_client_generate_tls_keys(&mi->context)) + else if (!multi_client_generate_tls_keys(m, mi)) { mi->context.c2.tls_multi->multi_state = CAS_FAILED; } @@ -2668,6 +2701,14 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi) (*cur_handler_index)++; } + /* Check if we have forbidding options in the current mode */ + if (dco_enabled(&mi->context.options) + && !dco_check_option_conflict(D_MULTI_ERRORS, &mi->context.options)) + { + msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to incompatible DCO options"); + cc_succeeded = false; + } + if (cc_succeeded) { multi_client_connect_late_setup(m, mi, *option_types_found); @@ -3086,6 +3127,124 @@ done: gc_free(&gc); } +/* + * Called when an instance should be closed due to the + * reception of a soft signal. + */ +void +multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi) +{ + remap_signal(&mi->context); + set_prefix(mi); + print_signal(mi->context.sig, "client-instance", D_MULTI_LOW); + clear_prefix(); + multi_close_instance(m, mi, false); +} + +#if (defined(ENABLE_DCO) && defined(TARGET_LINUX)) || defined(ENABLE_MANAGEMENT) +static void +multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig) +{ + mi->context.sig->signal_received = sig; + multi_close_instance_on_signal(m, mi); +} +#endif + +#if defined(ENABLE_DCO) && defined(TARGET_LINUX) +static void +process_incoming_dco_packet(struct multi_context *m, struct multi_instance *mi, + dco_context_t *dco) +{ + if (BLEN(&dco->dco_packet_in) < 1) + { + msg(D_DCO, "Received too short packet for peer %d", + dco->dco_message_peer_id); + goto done; + } + + uint8_t *ptr = BPTR(&dco->dco_packet_in); + uint8_t op = ptr[0] >> P_OPCODE_SHIFT; + if ((op == P_DATA_V1) || (op == P_DATA_V2)) + { + msg(D_DCO, "DCO: received data channel packet for peer %d", + dco->dco_message_peer_id); + goto done; + } + + struct buffer orig_buf = mi->context.c2.buf; + mi->context.c2.buf = dco->dco_packet_in; + + multi_process_incoming_link(m, mi, 0); + + mi->context.c2.buf = orig_buf; + +done: + buf_init(&dco->dco_packet_in, 0); +} + +static void +process_incoming_del_peer(struct multi_context *m, struct multi_instance *mi, + dco_context_t *dco) +{ + const char *reason = "ovpn-dco: unknown reason"; + switch (dco->dco_del_peer_reason) + { + case OVPN_DEL_PEER_REASON_EXPIRED: + reason = "ovpn-dco: ping expired"; + break; + + case OVPN_DEL_PEER_REASON_TRANSPORT_ERROR: + reason = "ovpn-dco: transport error"; + break; + + case OVPN_DEL_PEER_REASON_USERSPACE: + /* This very likely ourselves but might be another process, so + * still process it */ + reason = "ovpn-dco: userspace request"; + break; + } + + /* When kernel already deleted the peer, the socket is no longer + * installed and we don't need to cleanup the state in the kernel */ + mi->context.c2.tls_multi->dco_peer_added = false; + mi->context.sig->signal_text = reason; + multi_signal_instance(m, mi, SIGTERM); +} + +bool +multi_process_incoming_dco(struct multi_context *m) +{ + dco_context_t *dco = &m->top.c1.tuntap->dco; + + struct multi_instance *mi = NULL; + + int ret = dco_do_read(&m->top.c1.tuntap->dco); + + int peer_id = dco->dco_message_peer_id; + + if ((peer_id >= 0) && (peer_id < m->max_clients) && (m->instances[peer_id])) + { + mi = m->instances[peer_id]; + if (dco->dco_message_type == OVPN_CMD_PACKET) + { + process_incoming_dco_packet(m, mi, dco); + } + else if (dco->dco_message_type == OVPN_CMD_DEL_PEER) + { + process_incoming_del_peer(m, mi, dco); + } + } + else + { + msg(D_DCO, "Received packet for peer-id unknown to OpenVPN: %d", peer_id); + } + + dco->dco_message_type = 0; + dco->dco_message_peer_id = -1; + return ret > 0; +} +#endif /* if defined(ENABLE_DCO) && defined(TARGET_LINUX) */ + /* * Process packets in the TCP/UDP socket -> TUN/TAP interface direction, * i.e. client -> server direction. @@ -3647,32 +3806,11 @@ multi_process_signal(struct multi_context *m) return true; } -/* - * Called when an instance should be closed due to the - * reception of a soft signal. - */ -void -multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi) -{ - remap_signal(&mi->context); - set_prefix(mi); - print_signal(mi->context.sig, "client-instance", D_MULTI_LOW); - clear_prefix(); - multi_close_instance(m, mi, false); -} - /* * Management subsystem callbacks */ #ifdef ENABLE_MANAGEMENT -static void -multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig) -{ - mi->context.sig->signal_received = sig; - multi_close_instance_on_signal(m, mi); -} - static void management_callback_status(void *arg, const int version, struct status_output *so) { @@ -3762,10 +3900,6 @@ management_delete_event(void *arg, event_t event) } } -#endif /* ifdef ENABLE_MANAGEMENT */ - -#ifdef ENABLE_MANAGEMENT - static struct multi_instance * lookup_by_cid(struct multi_context *m, const unsigned long cid) { diff --git a/src/openvpn/multi.h b/src/openvpn/multi.h index f1e9ab91..370d795c 100644 --- a/src/openvpn/multi.h +++ b/src/openvpn/multi.h @@ -98,7 +98,9 @@ struct client_connect_defer_state * server-mode. */ struct multi_instance { - struct schedule_entry se; /* this must be the first element of the structure */ + struct schedule_entry se; /* this must be the first element of the structure, + * We cast between this and schedule_entry so the + * beginning of the struct must be identical */ struct gc_arena gc; bool halt; int refcount; @@ -310,6 +312,16 @@ void multi_process_float(struct multi_context *m, struct multi_instance *mi); */ bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags); +/** + * Process an incoming DCO message (from kernel space). + * + * @param m - The single \c multi_context structur.e + * + * @return + * - True, if the message was received correctly. + * - False, if there was an error while reading the message. + */ +bool multi_process_incoming_dco(struct multi_context *m); /**************************************************************************/ /**