plaisthos has uploaded this change for review. ( 
http://gerrit.openvpn.net/c/openvpn/+/1719?usp=email )


Change subject: Support p2p NCP negotiation in p2mp mode
......................................................................

Support p2p NCP negotiation in p2mp mode

This sends the peer info of the server to a p2p mode client if it is
detected. This is currently make little difference as peer-id/DATAv2 does
not work without asymmetric peer-id support of the p2p mode client but
prepares for mesh/multipeer support.

Change-Id: I8f3545f703126dbe96f809e69ad351749b14b1e1
Signed-off-by: Arne Schwabe <[email protected]>
---
M src/openvpn/multi.c
M src/openvpn/ssl.c
M src/openvpn/ssl_ncp.c
3 files changed, 53 insertions(+), 8 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/19/1719/1

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index e72066f..f853669 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1707,6 +1707,43 @@
     gc_free(&gc);
 }

+
+/**
+ * Generates warning for p2p mode peers.
+ */
+static void
+multi_client_set_protocol_warnings_p2p(struct context *c)
+{
+    struct tls_multi *multi = c->c2.tls_multi;
+    const struct tls_session *session = &multi->session[TM_ACTIVE];
+
+    /* we can support p2p clients but only if we and the other side
+     * support asymmetric peer-id */
+    msg(D_TLS_DEBUG_LOW, "Note: peer reports running in P2P mode "
+                         "(no --pull/--client option). This will "
+                         "probably not work as expected.");
+
+    /* Figure out which side is lacking asymmetric peer-id support and
+     * print appropriate warnings */
+    if (!multi->use_asymmetric_peer_id)
+    {
+        if (session->opt->dco_enabled)
+        {
+            msg(D_TLS_DEBUG_LOW, "Note: Supporting P2P mode peers requires "
+                                 "support of asymmetric peer-id which the "
+                                 "current DCO module does not support. Disable 
"
+                                 "DCO or upgrade to a version of OpenVPN and "
+                                 "DCO that support asymmetric peer-id.");
+        }
+        if (extract_asymmetric_peer_id(multi->peer_info) == MAX_PEER_ID)
+        {
+            msg(D_TLS_DEBUG_LOW, "Note: Supporting P2P mode peers requires "
+                                 "support of asymmetric peer-id. The peer does 
not "
+                                 "indicate it supports this.");
+        }
+    }
+}
+
 /**
  * Calculates the options that depend on the client capabilities
  * based on local options and available peer info
@@ -1737,13 +1774,11 @@
         return false;
     }

-    /* Print a warning if we detect the client being in P2P mode and will
-     * not accept our pushed ciphers */
+    /* Print a warning if we detect the client being in P2P mode. The
+     * negotiations will be otherwise compatible */
     if (proto & IV_PROTO_NCP_P2P)
     {
-        msg(M_WARN, "Note: peer reports running in P2P mode (no 
--pull/--client "
-                    "option). It will not negotiate ciphers with this server. "
-                    "Expect this connection to fail.");
+        multi_client_set_protocol_warnings_p2p(c);
     }

     if (proto & IV_PROTO_REQUEST_PUSH)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 5f3c09f..852d475 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1883,7 +1883,8 @@

     /* In server mode we only add this when the client has announced its
      * support for the feature */
-    if (session->opt->mode != MODE_SERVER || multi->use_asymmetric_peer_id)
+    if (session->opt->mode != MODE_SERVER || multi->use_asymmetric_peer_id
+        || !session->opt->server)
     {
         return buf_printf(out, "ID=%x\n", multi->rx_peer_id);
     }
@@ -1994,7 +1995,8 @@
         }
         else
         {
-            /* We are not using pull or p2mp server, instead do P2P NCP */
+            /* We are not using pull and are are either in real p2p mode
+             * or doing p2p negotiation as p2mp server */
             iv_proto |= IV_PROTO_NCP_P2P;
         }

@@ -2331,6 +2333,14 @@
                 /* With DCO we don't need the tx_peer_id atm */
                 multi->tx_peer_id = multi->rx_peer_id;
             }
+            unsigned int iv_proto = extract_iv_proto(multi->peer_info);
+
+            if (iv_proto & IV_PROTO_NCP_P2P && 
multi->session->opt->push_peer_info_detail < 1)
+            {
+                /* If the peer is using NCP P2P we also use p2p to make 
connecting
+                 * with p2p peers easier */
+                multi->session->opt->push_peer_info_detail = 1;
+            }
         }
     }
     else
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index e860f6d..003b77e 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -515,7 +515,7 @@
     }

     msg(D_TLS_DEBUG_LOW, "P2P mode NCP negotiation result: "
-                         "TLS_export=%d, DATA_v2=%d, rx-peer-id %d, tx-peer-id 
%d, epoch=%d, cipher=%s",
+                         "TLS_EKM=%d, DATA_v2=%d, rx-peer-id %d, tx-peer-id 
%d, epoch=%d, cipher=%s",
         (bool)(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT),
         multi->use_peer_id,
         multi->rx_peer_id,

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1719?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8f3545f703126dbe96f809e69ad351749b14b1e1
Gerrit-Change-Number: 1719
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to