From patchwork Fri Sep  9 02:18:41 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lev Stipakov <lstipakov@gmail.com>
X-Patchwork-Id: 2744
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend30.mail.ord1d.rsapps.net with LMTP
	id YEnbG30vG2MiTgAAIUCqbw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Fri, 09 Sep 2022 08:20:13 -0400
Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6])
	by director7.mail.ord1d.rsapps.net with LMTP
	id IE/AG30vG2NfSQAAovjBpQ
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Fri, 09 Sep 2022 08:20:13 -0400
Received: from smtp19.gate.ord1d ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy14.mail.ord1d.rsapps.net with LMTPS
	id yAd0G30vG2NLVgAAtEH5vw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Fri, 09 Sep 2022 08:20:13 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp19.gate.ord1d.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=gmail.com;
 dmarc=fail (p=none; dis=none) header.from=gmail.com
X-Suspicious-Flag: YES
X-Classification-ID: c0ad787a-3039-11ed-84b2-525400d67fa8-1-1
Received: from [216.105.38.7] ([216.105.38.7:56716]
 helo=lists.sourceforge.net)
	by smtp19.gate.ord1d.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 8D/6E-18942-C7F2B136; Fri, 09 Sep 2022 08:20:12 -0400
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1oWcyq-00076I-QU;
	Fri, 09 Sep 2022 12:19:32 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <lstipakov@gmail.com>) id 1oWcyo-00076B-L2
 for openvpn-devel@lists.sourceforge.net;
 Fri, 09 Sep 2022 12:19:30 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=ypBoE0BOQlJJ4qrW9gLa8+HV/3dcBU6deXpGkyDFVko=; b=UeLn01XrMHR/E6u8Rxa2KPO4E+
 V8YvSewu0ydpC1hP0+7IknGdIOGzmQi1WNI1ci7NhWIqAXhIAg/QalwGS15souO7FVluioY+71KiF
 5kToDleh+5D/mpAaPceWhA3/sEk5Sd/7d/DDx14icI1h7IG7qWWWZsvEOAgwLB/Yhhdg=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=ypBoE0BOQlJJ4qrW9gLa8+HV/3dcBU6deXpGkyDFVko=; b=cW8iPKAVoKMpSW1Sp1UCtQBcj0
 TaxYAbyaxSIpPvIVPgSES0sgWGWU9gtks93zdSvi9e3QbIvpUvtt5cQ9WmXs3uOWOg9C0o7VmWsK+
 gou3Gn9bElwOesZP/ot6ul1KIHq4G57IgYmc0lIHTm+KOEu8bQFl4hQYHYpCr4SRP9Bg=;
Received: from mail-lj1-f181.google.com ([209.85.208.181])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1oWcyg-0008Cm-KR for openvpn-devel@lists.sourceforge.net;
 Fri, 09 Sep 2022 12:19:24 +0000
Received: by mail-lj1-f181.google.com with SMTP id s10so961065ljp.5
 for <openvpn-devel@lists.sourceforge.net>;
 Fri, 09 Sep 2022 05:19:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date;
 bh=ypBoE0BOQlJJ4qrW9gLa8+HV/3dcBU6deXpGkyDFVko=;
 b=g5x7oKQb+usJwAbwJhYDTLmszqj4JR2ijCKUK0ajrReNtSQQSTezVC/lXfrW7DmNya
 LK9UjzmBui0IWKhGvVVH53mGVLeE0NWofaDYo/XMNXks5FajmgPS2hJ5g8Nz0bJMzPzJ
 p5QC8FteVejP+Dk6MiHssIi1wFSE2CT5+TvldCIUb3CVTthJ8i1fvxwiDoCQ6n19IOWn
 qQAND4VDMAf4sdu+N+jZYEGRvz0qFq/lEDR4tDqZxNVUaQ5URTJo5kit87ohsT2qHjEX
 4pwzX331rofn2BpPkEcQDWzUA/guAAB56JJH11IoahTrAE3WzCUz0lp8ZUOUKg9tSgyv
 KPWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date;
 bh=ypBoE0BOQlJJ4qrW9gLa8+HV/3dcBU6deXpGkyDFVko=;
 b=CrsvP3cVDemvL44YIacZh0xCrhUTsSpIexYxWzuFSOzEzXAq3fVT8g4gkxVWp5zy6G
 fUriKllvQral9mjN+A+b2eRFAvOiTZc+z1Pze+16/r8cjDrX/E4Ryy+A5z0sDPbSUUHi
 8CBpKKGHLqTMQxO1ahpzXNQEtVo4woY3+5/vnZMlWcj+qZGy+lroG4xyDHTtjsgabYhc
 Sqyv24eavict9DYRTJsq5lSMPvRWZHJ0Y2wTQ8x9H73UI0x9yxOtW+ghdh78gS/bZzHe
 JF8Np3Wdl831+X4FrGTIRm3TCYifGlgjxHZBy2S+f5Yh/j0Y6Td6jC/+rdQQHU/lJpww
 Gwiw==
X-Gm-Message-State: ACgBeo2PAPai0joWLy2sWb8ZCOyl35wAJPJ9RtQlv/CaYB1XlhrDnPkr
 VG2p8h692DqYm+iXVvkOQY6Rkz81Qmq+tg==
X-Google-Smtp-Source: 
 AA6agR7o6opm9Luqqh8AOX69IepU1WIuo4qIxW07xeLwCU3RYX6e681c4EDbpoUoFNW08FIDybKzmQ==
X-Received: by 2002:a2e:834b:0:b0:261:df5d:fd8b with SMTP id
 l11-20020a2e834b000000b00261df5dfd8bmr4252658ljh.110.1662725955561;
 Fri, 09 Sep 2022 05:19:15 -0700 (PDT)
Received: from LAPTOP-4L3N7KFS.localdomain (nat1.panoulu.net. [185.38.2.1])
 by smtp.gmail.com with ESMTPSA id
 a26-20020a2eb55a000000b0025ddad51e48sm48414ljn.140.2022.09.09.05.19.14
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 09 Sep 2022 05:19:15 -0700 (PDT)
From: Lev Stipakov <lstipakov@gmail.com>
To: openvpn-devel@lists.sourceforge.net
Date: Fri,  9 Sep 2022 15:18:41 +0300
Message-Id: <20220909121841.646-1-lstipakov@gmail.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220909091037.553-1-lstipakov@gmail.com>
References: <20220909091037.553-1-lstipakov@gmail.com>
MIME-Version: 1.0
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Lev Stipakov Following options are set on startup and
 cannot be changed later: - dev - dev-type - connections list - mode -
 topology
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.208.181 listed in list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [lstipakov[at]gmail.com]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.208.181 listed in wl.mailspike.net]
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Headers-End: 1oWcyg-0008Cm-KR
Subject: [Openvpn-devel] [PATCH v2] dco.c: check certain options only on
 startup
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Lev Stipakov <lev@openvpn.net>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

From: Lev Stipakov <lev@openvpn.net>

Following options are set on startup and cannot be changed later:

 - dev
 - dev-type
 - connections list
 - mode
 - topology

Same for system-wide availability of dco.

dco_check_option_conflict(), where those options
were checked, is also called in server mode when
client is connected. Move those checks to
dco_check_startup_option_conflict() which is only
called at startup.

Since we moved dco_enabled() check to startup,
dco_check_option_conflict() might now trigger exit
on Windows if system lacks chachapoly support.
Since dco checks only need to be performed for
dco, wrap those into "if (dco_enabled) {}".

Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <a@unstable.cc>
---
 
 v2: remove "_conflict" ending from dco options check
   function names, since it adds confusion

 src/openvpn/dco.c     | 149 +++++++++++++++++++++---------------------
 src/openvpn/dco.h     |   8 +--
 src/openvpn/multi.c   |   2 +-
 src/openvpn/options.c |  11 ++--
 4 files changed, 87 insertions(+), 83 deletions(-)

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 075820c3..d9e49781 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -222,9 +222,75 @@ dco_update_keys(dco_context_t *dco, struct tls_multi *multi)
     }
 }
 
+static bool
+dco_check_option_ce(const struct connection_entry *ce, int msglevel)
+{
+    if (ce->fragment)
+    {
+        msg(msglevel, "Note: --fragment disables data channel offload.");
+        return false;
+    }
+
+    if (ce->http_proxy_options)
+    {
+        msg(msglevel, "Note: --http-proxy disables data channel offload.");
+        return false;
+    }
+
+    if (ce->socks_proxy_server)
+    {
+        msg(msglevel, "Note: --socks-proxy disables data channel offload.");
+        return false;
+    }
+
+#if defined(TARGET_FREEBSD)
+    if (!proto_is_udp(ce->proto))
+    {
+        msg(msglevel, "NOTE: TCP transport disables data channel offload on FreeBSD.");
+        return false;
+    }
+#endif
+
+    return true;
+}
+
 bool
-dco_check_startup_option_conflict(int msglevel, const struct options *o)
+dco_check_startup_option(int msglevel, const struct options *o)
 {
+    /* check if DCO was already disabled by the user or if no dev name was
+     * specified at all. In the latter case, later logic will most likely stop
+     * OpenVPN, so no need to print any message here.
+     */
+    if (!dco_enabled(o) || !o->dev)
+    {
+        return false;
+    }
+
+    if (dev_type_enum(o->dev, o->dev_type) != DEV_TYPE_TUN)
+    {
+        msg(msglevel, "Note: dev-type not tun, disabling data channel offload.");
+        return false;
+    }
+
+    if (o->connection_list)
+    {
+        const struct connection_list *l = o->connection_list;
+        for (int i = 0; i < l->len; ++i)
+        {
+            if (!dco_check_option_ce(l->array[i], msglevel))
+            {
+                return false;
+            }
+        }
+    }
+    else
+    {
+        if (!dco_check_option_ce(&o->ce, msglevel))
+        {
+            return false;
+        }
+    }
+
 #if defined(_WIN32)
     if (o->mode == MODE_SERVER)
     {
@@ -281,59 +347,22 @@ dco_check_startup_option_conflict(int msglevel, const struct options *o)
         }
     }
 #endif /* if defined(HAVE_LIBCAPNG) */
-    return true;
-}
 
-static bool
-dco_check_option_conflict_ce(const struct connection_entry *ce, int msglevel)
-{
-    if (ce->fragment)
-    {
-        msg(msglevel, "Note: --fragment disables data channel offload.");
-        return false;
-    }
-
-    if (ce->http_proxy_options)
-    {
-        msg(msglevel, "Note: --http-proxy disables data channel offload.");
-        return false;
-    }
-
-    if (ce->socks_proxy_server)
-    {
-        msg(msglevel, "Note: --socks-proxy disables data channel offload.");
-        return false;
-    }
-
-#if defined(TARGET_FREEBSD)
-    if (!proto_is_udp(ce->proto))
+    if (o->mode == MODE_SERVER && o->topology != TOP_SUBNET)
     {
-        msg(msglevel, "NOTE: TCP transport disables data channel offload on FreeBSD.");
+        msg(msglevel, "Note: NOT using '--topology subnet' disables data channel offload.");
         return false;
     }
-#endif
 
-    return true;
+    /* now that all options have been confirmed to be supported, check
+     * if DCO is truly available on the system
+     */
+    return dco_available(msglevel);
 }
 
 bool
-dco_check_option_conflict(int msglevel, const struct options *o)
+dco_check_option(int msglevel, const struct options *o)
 {
-    /* check if DCO was already disabled by the user or if no dev name was
-     * specified at all. In the latter case, later logic will most likely stop
-     * OpenVPN, so no need to print any message here.
-     */
-    if (!dco_enabled(o) || !o->dev)
-    {
-        return false;
-    }
-
-    if (dev_type_enum(o->dev, o->dev_type) != DEV_TYPE_TUN)
-    {
-        msg(msglevel, "Note: dev-type not tun, disabling data channel offload.");
-        return false;
-    }
-
     /* At this point the ciphers have already been normalised */
     if (o->enable_ncp_fallback
         && !tls_item_in_cipher_list(o->ciphername, dco_get_supported_ciphers()))
@@ -343,31 +372,6 @@ dco_check_option_conflict(int msglevel, const struct options *o)
         return false;
     }
 
-    if (o->connection_list)
-    {
-        const struct connection_list *l = o->connection_list;
-        for (int i = 0; i < l->len; ++i)
-        {
-            if (!dco_check_option_conflict_ce(l->array[i], msglevel))
-            {
-                return false;
-            }
-        }
-    }
-    else
-    {
-        if (!dco_check_option_conflict_ce(&o->ce, msglevel))
-        {
-            return false;
-        }
-    }
-
-    if (o->mode == MODE_SERVER && o->topology != TOP_SUBNET)
-    {
-        msg(msglevel, "Note: NOT using '--topology subnet' disables data channel offload.");
-        return false;
-    }
-
 #if defined(USE_COMP)
     if (o->comp.alg != COMP_ALG_UNDEF
         || o->comp.flags & COMP_F_ALLOW_ASYM
@@ -400,10 +404,7 @@ dco_check_option_conflict(int msglevel, const struct options *o)
     }
     gc_free(&gc);
 
-    /* now that all options have been confirmed to be supported, check
-     * if DCO is truly available on the system
-     */
-    return dco_available(msglevel);
+    return true;
 }
 
 bool
diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h
index e5f6b51c..e051db06 100644
--- a/src/openvpn/dco.h
+++ b/src/openvpn/dco.h
@@ -67,7 +67,7 @@ bool dco_available(int msglevel);
  * @param o         the options struct that hold the options
  * @return          true if no conflict was detected, false otherwise
  */
-bool dco_check_option_conflict(int msglevel, const struct options *o);
+bool dco_check_option(int msglevel, const struct options *o);
 
 /**
  * Check whether the options struct has any further option that is not supported
@@ -79,7 +79,7 @@ bool dco_check_option_conflict(int msglevel, const struct options *o);
  * @param o         the options struct that hold the options
  * @return          true if no conflict was detected, false otherwise
  */
-bool dco_check_startup_option_conflict(int msglevel, const struct options *o);
+bool dco_check_startup_option(int msglevel, const struct options *o);
 
 /**
  * Check whether any of the options pushed by the server is not supported by
@@ -243,13 +243,13 @@ dco_available(int msglevel)
 }
 
 static inline bool
-dco_check_option_conflict(int msglevel, const struct options *o)
+dco_check_option(int msglevel, const struct options *o)
 {
     return false;
 }
 
 static inline bool
-dco_check_startup_option_conflict(int msglevel, const struct options *o)
+dco_check_startup_option(int msglevel, const struct options *o)
 {
     return false;
 }
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index b58bea7b..1bbeab7d 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2719,7 +2719,7 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi)
 
     /* Check if we have forbidding options in the current mode */
     if (dco_enabled(&mi->context.options)
-        && !dco_check_option_conflict(D_MULTI_ERRORS, &mi->context.options))
+        && !dco_check_option(D_MULTI_ERRORS, &mi->context.options))
     {
         msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to incompatible DCO options");
         cc_succeeded = false;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index a296086d..2e567571 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3685,14 +3685,17 @@ options_postprocess_mutate(struct options *o, struct env_set *es)
 
 #if defined(TARGET_LINUX) || defined(TARGET_FREEBSD)
     /* check if any option should force disabling DCO */
-    o->tuntap_options.disable_dco = !dco_check_option_conflict(D_DCO, o)
-                                    || !dco_check_startup_option_conflict(D_DCO, o);
+    o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o)
+                                    || !dco_check_startup_option(D_DCO, o);
 #elif defined(_WIN32)
     /* in Windows we have no 'fallback to non-DCO' strategy, so if a conflicting
      * option is found, we simply bail out by means of M_USAGE
      */
-    dco_check_option_conflict(M_USAGE, o);
-    dco_check_startup_option_conflict(M_USAGE, o);
+    if (dco_enabled(o))
+    {
+        dco_check_option(M_USAGE, o);
+        dco_check_startup_option(M_USAGE, o);
+    }
 #endif
 
     if (dco_enabled(o) && o->dev_node)