From patchwork Fri Sep 9 04:45:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 2745 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id mAw1MOpRG2NpBwAAIUCqbw (envelope-from ) for ; Fri, 09 Sep 2022 10:47:06 -0400 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id UJ0KMOpRG2O8XwAAovjBpQ (envelope-from ) for ; Fri, 09 Sep 2022 10:47:06 -0400 Received: from smtp32.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTPS id AITEL+pRG2N5TAAA8Zzt7w (envelope-from ) for ; Fri, 09 Sep 2022 10:47:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp32.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 4603f710-304e-11ed-a46f-52540099eaf5-1-1 Received: from [216.105.38.7] ([216.105.38.7:40072] helo=lists.sourceforge.net) by smtp32.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id DF/67-27541-AE15B136; Fri, 09 Sep 2022 10:47:06 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oWfGk-0002Eg-Q6; Fri, 09 Sep 2022 14:46:10 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oWfGk-0002EW-2B for openvpn-devel@lists.sourceforge.net; Fri, 09 Sep 2022 14:46:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=rarfP+tYslwepJbYskvOfxkH0YgVrUm0wkYJlOzMVaI=; b=MOc32dq4BwVHDE/EmFehQe8BVj OYAcugfZqSb/aHVoS2U3XqWExdCF8dvvp1f1tAsZGb1DshHdQeJHxKh7/hXAxqphyuf/29BjaVOF9 6rzRlKz72FePJ0TYwJ+cfnEslCD+n255h1qSvHp9UCzxniVs/KosT6opAX1QSU/CuA/U=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=rarfP+tYslwepJbYskvOfxkH0YgVrUm0wkYJlOzMVaI=; b=C sdyaqZcFfE3OxnTij/2gvo63xPA3sC14ju7mehsHNIV9R2aJfRPW60ZvDHAAMKBvFeTqBNlSBVqCK D5M0qSn7HT8TbYiD09193XkRVdvsWUHsDT+oWox8rbM8ke88RvU6PHfQg/XqhMvJgDjYUoQBI6Jnp voKPow8W3YE03gYM=; Received: from mail-ej1-f42.google.com ([209.85.218.42]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1oWfGh-0005i0-G4 for openvpn-devel@lists.sourceforge.net; Fri, 09 Sep 2022 14:46:08 +0000 Received: by mail-ej1-f42.google.com with SMTP id lc7so4621729ejb.0 for ; Fri, 09 Sep 2022 07:46:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date; bh=rarfP+tYslwepJbYskvOfxkH0YgVrUm0wkYJlOzMVaI=; b=faOLgnmpr6RTlmp7aJ6AEUvlqqB33SxQSQgJ/esut+sB1SQSTYWC/O6fZ4isctfLYN DN+DfbYWPOnWcQgLAxQfGzBSfzjo0OSoOMlVnGfJJWqvXLdS1dFzGZlvopiEkaYtBa5o TfJqLcrzG06kUbPajVtQHVlCRLebs5e5xR8IDXgJriK9ZbDpCZrsWWNKpz3BO08Awe14 NxqrFmMG+gO+O6OwC5vNTQKtXg3Qr8cEsjjBqat58b2YL1OH8tP7y+5vjX7EagpBSUi1 x63uqYFlNyPWmaokV4u9u6bSfXDMLgEest37+UX7OfbbYmrg+tK94UaybTDL9K2u1/22 +Rfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=rarfP+tYslwepJbYskvOfxkH0YgVrUm0wkYJlOzMVaI=; b=RiBExF5Nn+uucWyS+YewCfsfA+mA5Zlc4xYu+djFshAJ8htLePhsfLOVcZktmRRMZE AJOBvTZXVk05olvfl9jpvk/8QaonH7cBzWAq7XcYwsTc72WR/KL3NfCzBIuDZBzdYSQr Qzpt6gRRvK7ZiL/jXRGn9cdiAizEviYpzfUsZsoYhUFtG/8NkoAfFr+QtagcWyMeH/+Y wbOlC2Sa8nhOhpa/Ex4nBY6Gg5aDhdyIviYf5bdkvRoUqK81HVsJcFF65CyI04UoeQ2a oWVGwbbj5UZw3xM2hLdI3EAtfkRuG1v0WX7/PiUnTTKEHJxG3vEmNdrsU/UKfwrphpV+ PyjQ== X-Gm-Message-State: ACgBeo074dQsoj49O68sSJ1Ch9blSPy3pcXMQoK4x8yuhZpeCDVMoA2f DymtCgmjvVmMoL/HEynoXc+nALhytCEBdQ== X-Google-Smtp-Source: AA6agR7omsG9uCh6HslpgsHSmD+G3klk0C3mE0evAFiCR7Wvdw6uBiLsg7R2BbPYpKX2htxY66bgYA== X-Received: by 2002:a17:907:2c41:b0:779:f8e7:ec32 with SMTP id hf1-20020a1709072c4100b00779f8e7ec32mr2026649ejc.392.1662734760564; Fri, 09 Sep 2022 07:46:00 -0700 (PDT) Received: from LAPTOP-4L3N7KFS.localdomain (stipakov.fi. [128.199.52.117]) by smtp.gmail.com with ESMTPSA id y7-20020a056402170700b0044e7f40c48esm464942edu.62.2022.09.09.07.45.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Sep 2022 07:46:00 -0700 (PDT) From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Fri, 9 Sep 2022 17:45:46 +0300 Message-Id: <20220909144546.672-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov On startup, check following conditions: - ovpn-dco-win driver is installed. Perform this check by trying to open adapter by symbolic name. Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.218.42 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.218.42 listed in list.dnswl.org] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1oWfGh-0005i0-G4 Subject: [Openvpn-devel] [PATCH] Use DCO on Windows by default X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Lev Stipakov On startup, check following conditions: - ovpn-dco-win driver is installed. Perform this check by trying to open adapter by symbolic name. - options are compatible with dco. Same checks as on Linux and FreeBSD. In addition, check that --mode server is not used and --windows-driver is not set to tap-windows6/wintun. If both checks are passed, use DCO. Move options_postprocess_mutate_invariant() call below since it depends on selected windows driver. dco_check_option() has side effect on Windows - if dco is not used, it might complain "cipher chachapoly not supported by dco, disabling dco" if chachapoly support is missing system-wide. To not to see this, check dco options only if dco is enabled. This means moving dco_enabled() from dco_check_startup_option() to one level above. We do similar thing in multi_connection_established() before checking ccd options. Signed-off-by: Lev Stipakov --- src/openvpn/dco.c | 19 +++++++++++------ src/openvpn/dco_win.c | 23 ++++++++++++++++++++- src/openvpn/options.c | 48 +++++++++++++++++++++++++++++-------------- src/openvpn/options.h | 4 +--- src/openvpn/tun.c | 19 ----------------- src/openvpn/tun.h | 19 +++++++++++++++++ 6 files changed, 88 insertions(+), 44 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index d9e49781..a76cdd0c 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -257,11 +257,11 @@ dco_check_option_ce(const struct connection_entry *ce, int msglevel) bool dco_check_startup_option(int msglevel, const struct options *o) { - /* check if DCO was already disabled by the user or if no dev name was - * specified at all. In the latter case, later logic will most likely stop - * OpenVPN, so no need to print any message here. + /* check if no dev name was specified at all. In the case, + * later logic will most likely stop OpenVPN, so no need to + * print any message here. */ - if (!dco_enabled(o) || !o->dev) + if (!o->dev) { return false; } @@ -294,8 +294,15 @@ dco_check_startup_option(int msglevel, const struct options *o) #if defined(_WIN32) if (o->mode == MODE_SERVER) { - msg(msglevel, "Only client and p2p data channel offload is supported " - "with ovpn-dco."); + msg(msglevel, "--mode server is set. Disabling Data Channel Offload"); + return false; + } + + if ((o->windows_driver == WINDOWS_DRIVER_WINTUN) + || (o->windows_driver == WINDOWS_DRIVER_TAP_WINDOWS6)) + { + msg(msglevel, "--windows-driver is set to '%s'. Disabling Data Channel Offload", + print_windows_driver(o->windows_driver)); return false; } diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c index 22f30280..48a1755a 100644 --- a/src/openvpn/dco_win.c +++ b/src/openvpn/dco_win.c @@ -359,7 +359,28 @@ dco_swap_keys(dco_context_t *dco, unsigned int peer_id) bool dco_available(int msglevel) { - return true; + /* try to open device by symbolic name */ + HANDLE h = CreateFile("\\\\.\\ovpn-dco", GENERIC_READ | GENERIC_WRITE, + 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED, NULL); + + if (h != INVALID_HANDLE_VALUE) + { + CloseHandle(h); + return true; + } + + DWORD err = GetLastError(); + if (err == ERROR_ACCESS_DENIED) + { + /* this likely means that device exists but is already in use, + * don't bail out since later we try to open all existing dco + * devices and then bail out if all devices are in use + */ + return true; + } + + msg(msglevel, "Note: ovpn-dco-win driver is missing, disabling data channel offload."); + return false; } int diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2e567571..e27a957f 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -183,7 +183,7 @@ static const char usage_message[] = " does not begin with \"tun\" or \"tap\".\n" "--dev-node node : Explicitly set the device node rather than using\n" " /dev/net/tun, /dev/tun, /dev/tap, etc.\n" -#if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD)) +#if defined(ENABLE_DCO) && (defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32)) "--disable-dco : Do not attempt using Data Channel Offload.\n" #endif "--lladdr hw : Set the link layer address of the tap device.\n" @@ -851,7 +851,7 @@ init_options(struct options *o, const bool init_gc) o->tuntap_options.dhcp_masq_offset = 0; /* use network address as internal DHCP server address */ o->route_method = ROUTE_METHOD_ADAPTIVE; o->block_outside_dns = false; - o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6; + o->windows_driver = WINDOWS_DRIVER_UNSPECIFIED; #endif o->vlan_accept = VLAN_ALL; o->vlan_pvid = 1; @@ -3606,8 +3606,6 @@ options_postprocess_mutate(struct options *o, struct env_set *es) options_set_backwards_compatible_options(o); options_postprocess_cipher(o); - options_postprocess_mutate_invariant(o); - o->ncp_ciphers = mutate_ncp_cipher_list(o->ncp_ciphers, &o->gc); if (o->ncp_ciphers == NULL) { @@ -3683,18 +3681,35 @@ options_postprocess_mutate(struct options *o, struct env_set *es) "incompatible with each other."); } -#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) - /* check if any option should force disabling DCO */ - o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o) - || !dco_check_startup_option(D_DCO, o); -#elif defined(_WIN32) - /* in Windows we have no 'fallback to non-DCO' strategy, so if a conflicting - * option is found, we simply bail out by means of M_USAGE - */ +#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32) if (dco_enabled(o)) { - dco_check_option(M_USAGE, o); - dco_check_startup_option(M_USAGE, o); + /* check if any option should force disabling DCO */ + o->tuntap_options.disable_dco = !dco_check_option(D_DCO, o) + || !dco_check_startup_option(D_DCO, o); + } + else + { + o->tuntap_options.disable_dco = true; + } +#endif + +#ifdef _WIN32 + if (!o->tuntap_options.disable_dco) + { + o->windows_driver = WINDOWS_DRIVER_DCO; + } + else + { + if (o->windows_driver == WINDOWS_DRIVER_DCO) + { + msg(M_WARN, "Option --windows-driver ovpn-dco is ignored because Data Channel Offload is disabled"); + o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6; + } + else if (o->windows_driver == WINDOWS_DRIVER_UNSPECIFIED) + { + o->windows_driver = WINDOWS_DRIVER_TAP_WINDOWS6; + } } #endif @@ -3705,6 +3720,9 @@ options_postprocess_mutate(struct options *o, struct env_set *es) o->dev_node = NULL; } + /* this depends on o->windows_driver, which is set above */ + options_postprocess_mutate_invariant(o); + /* * Save certain parms before modifying options during connect, especially * when using --pull @@ -5903,7 +5921,7 @@ add_option(struct options *options, #endif else if (streq(p[0], "disable-dco")) { -#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) +#if defined(TARGET_LINUX) || defined(TARGET_FREEBSD) || defined(_WIN32) options->tuntap_options.disable_dco = true; #endif } diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 6d9174a4..557054ba 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -882,9 +882,7 @@ bool key_is_external(const struct options *options); static inline bool dco_enabled(const struct options *o) { -#if defined(_WIN32) - return o->windows_driver == WINDOWS_DRIVER_DCO; -#elif defined(ENABLE_DCO) +#if defined(ENABLE_DCO) return !o->tuntap_options.disable_dco; #else return false; diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 94803acd..cb2a8fb6 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -3539,25 +3539,6 @@ read_tun(struct tuntap *tt, uint8_t *buf, int len) #elif defined(_WIN32) -static const char * -print_windows_driver(enum windows_driver_type windows_driver) -{ - switch (windows_driver) - { - case WINDOWS_DRIVER_TAP_WINDOWS6: - return "tap-windows6"; - - case WINDOWS_DRIVER_WINTUN: - return "wintun"; - - case WINDOWS_DRIVER_DCO: - return "ovpn-dco"; - - default: - return "unspecified"; - } -} - int tun_read_queue(struct tuntap *tt, int maxsize) { diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h index 1cca1cfb..b7d54f2f 100644 --- a/src/openvpn/tun.h +++ b/src/openvpn/tun.h @@ -660,6 +660,25 @@ tuntap_is_dco_win_timeout(struct tuntap *tt, int status) return tuntap_is_dco_win(tt) && (status < 0) && (openvpn_errno() == ERROR_NETNAME_DELETED); } +static const char * +print_windows_driver(enum windows_driver_type windows_driver) +{ + switch (windows_driver) + { + case WINDOWS_DRIVER_TAP_WINDOWS6: + return "tap-windows6"; + + case WINDOWS_DRIVER_WINTUN: + return "wintun"; + + case WINDOWS_DRIVER_DCO: + return "ovpn-dco"; + + default: + return "unspecified"; + } +} + #else /* ifdef _WIN32 */ static inline bool