Signed-off-by: Antonio Quartulli <a...@unstable.cc> --- Changes from v1: * renamed disable_dco to dco_enabled
src/openvpn/init.c | 49 ++++++++++++++++++++++++++++++++-------- src/openvpn/ssl_common.h | 23 +++++++++++++++++++ 2 files changed, 63 insertions(+), 9 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 779fc4a5..b6e1707f 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -55,6 +55,7 @@ #include "auth_token.h" #include "mss.h" #include "mudp.h" +#include "dco.h" #include "memdbg.h" @@ -1315,15 +1316,23 @@ do_init_timers(struct context *c, bool deferred) } /* initialize pings */ - - if (c->options.ping_send_timeout) + if (dco_enabled(&c->options)) { - event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0); + /* The DCO kernel module will send the pings instead of user space */ + event_timeout_clear(&c->c2.ping_rec_interval); + event_timeout_clear(&c->c2.ping_send_interval); } - - if (c->options.ping_rec_timeout) + else { - event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); + if (c->options.ping_send_timeout) + { + event_timeout_init(&c->c2.ping_send_interval, c->options.ping_send_timeout, 0); + } + + if (c->options.ping_rec_timeout) + { + event_timeout_init(&c->c2.ping_rec_interval, c->options.ping_rec_timeout, now); + } } if (!deferred) @@ -1733,6 +1742,12 @@ do_open_tun(struct context *c) /* initialize (but do not open) tun/tap object */ do_init_tun(c); + /* inherit the dco context from the tuntap object */ + if (c->c2.tls_multi) + { + c->c2.tls_multi->dco = &c->c1.tuntap->dco; + } + #ifdef _WIN32 /* store (hide) interactive service handle in tuntap_options */ c->c1.tuntap->options.msg_channel = c->options.msg_channel; @@ -1781,6 +1796,11 @@ do_open_tun(struct context *c) /* Store the old fd inside the fd so open_tun can use it */ c->c1.tuntap->fd = oldtunfd; #endif + if (dco_enabled(&c->options)) + { + ovpn_dco_init(c->mode, &c->c1.tuntap->dco); + } + /* open the tun device */ open_tun(c->options.dev, c->options.dev_type, c->options.dev_node, c->c1.tuntap, &c->net_ctx); @@ -3004,12 +3024,20 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } } + /* let the TLS engine know if keys have to be installed in DCO or not */ + to.dco_enabled = dco_enabled(options); + /* * Initialize OpenVPN's master TLS-mode object. */ if (flags & CF_INIT_TLS_MULTI) { c->c2.tls_multi = tls_multi_init(&to); + /* inherit the dco context from the tuntap object */ + if (c->c1.tuntap) + { + c->c2.tls_multi->dco = &c->c1.tuntap->dco; + } } if (flags & CF_INIT_TLS_AUTH_STANDALONE) @@ -4389,15 +4417,18 @@ inherit_context_child(struct context *dest, #endif /* context init */ + + /* inherit tun/tap interface object now as it may be required + * to initialize the DCO context in init_instance() + */ + dest->c1.tuntap = src->c1.tuntap; + init_instance(dest, src->c2.es, CC_NO_CLOSE | CC_USR1_TO_HUP); if (IS_SIG(dest)) { return; } - /* inherit tun/tap interface object */ - dest->c1.tuntap = src->c1.tuntap; - /* UDP inherits some extra things which TCP does not */ if (dest->mode == CM_CHILD_UDP) { diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index cef2611b..c565d78c 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -167,6 +167,12 @@ enum auth_deferred_result { ACF_FAILED /**< deferred auth has failed */ }; +enum dco_key_status { + DCO_NOT_INSTALLED, + DCO_INSTALLED_PRIMARY, + DCO_INSTALLED_SECONDARY +}; + /** * Security parameter state of one TLS and data channel %key session. * @ingroup control_processor @@ -197,6 +203,12 @@ struct key_state */ int key_id; + /** + * Key id for this key_state, inherited from struct tls_session. + * @see tls_multi::peer_id. + */ + uint32_t peer_id; + struct key_state_ssl ks_ssl; /* contains SSL object and BIOs for the control channel */ time_t initial; /* when we created this session */ @@ -241,6 +253,8 @@ struct key_state struct auth_deferred_status plugin_auth; struct auth_deferred_status script_auth; + + enum dco_key_status dco_status; }; /** Control channel wrapping (--tls-auth/--tls-crypt) context */ @@ -404,6 +418,8 @@ struct tls_options const char *ekm_label; size_t ekm_label_size; size_t ekm_size; + + bool dco_enabled; /**< Whether keys have to be installed in DCO or not */ }; /** @addtogroup control_processor @@ -636,6 +652,13 @@ struct tls_multi /**< Array of \c tls_session objects * representing control channel * sessions with the remote peer. */ + + /* Only used when DCO is used to remember how many keys we installed + * for this session */ + int dco_keys_installed; + bool dco_peer_added; + + dco_context_t *dco; }; /** gets an item of \c key_state objects in the -- 2.35.1 _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel