plaisthos has uploaded this change for review. ( http://gerrit.openvpn.net/c/openvpn/+/1719?usp=email )
Change subject: Support p2p NCP negotiation in p2mp mode ...................................................................... Support p2p NCP negotiation in p2mp mode This sends the peer info of the server to a p2p mode client if it is detected. This is currently make little difference as peer-id/DATAv2 does not work without asymmetric peer-id support of the p2p mode client but prepares for mesh/multipeer support. Change-Id: I8f3545f703126dbe96f809e69ad351749b14b1e1 Signed-off-by: Arne Schwabe <[email protected]> --- M src/openvpn/multi.c M src/openvpn/ssl.c M src/openvpn/ssl_ncp.c 3 files changed, 53 insertions(+), 8 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/19/1719/1 diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index e72066f..f853669 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1707,6 +1707,43 @@ gc_free(&gc); } + +/** + * Generates warning for p2p mode peers. + */ +static void +multi_client_set_protocol_warnings_p2p(struct context *c) +{ + struct tls_multi *multi = c->c2.tls_multi; + const struct tls_session *session = &multi->session[TM_ACTIVE]; + + /* we can support p2p clients but only if we and the other side + * support asymmetric peer-id */ + msg(D_TLS_DEBUG_LOW, "Note: peer reports running in P2P mode " + "(no --pull/--client option). This will " + "probably not work as expected."); + + /* Figure out which side is lacking asymmetric peer-id support and + * print appropriate warnings */ + if (!multi->use_asymmetric_peer_id) + { + if (session->opt->dco_enabled) + { + msg(D_TLS_DEBUG_LOW, "Note: Supporting P2P mode peers requires " + "support of asymmetric peer-id which the " + "current DCO module does not support. Disable " + "DCO or upgrade to a version of OpenVPN and " + "DCO that support asymmetric peer-id."); + } + if (extract_asymmetric_peer_id(multi->peer_info) == MAX_PEER_ID) + { + msg(D_TLS_DEBUG_LOW, "Note: Supporting P2P mode peers requires " + "support of asymmetric peer-id. The peer does not " + "indicate it supports this."); + } + } +} + /** * Calculates the options that depend on the client capabilities * based on local options and available peer info @@ -1737,13 +1774,11 @@ return false; } - /* Print a warning if we detect the client being in P2P mode and will - * not accept our pushed ciphers */ + /* Print a warning if we detect the client being in P2P mode. The + * negotiations will be otherwise compatible */ if (proto & IV_PROTO_NCP_P2P) { - msg(M_WARN, "Note: peer reports running in P2P mode (no --pull/--client " - "option). It will not negotiate ciphers with this server. " - "Expect this connection to fail."); + multi_client_set_protocol_warnings_p2p(c); } if (proto & IV_PROTO_REQUEST_PUSH) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 5f3c09f..852d475 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1883,7 +1883,8 @@ /* In server mode we only add this when the client has announced its * support for the feature */ - if (session->opt->mode != MODE_SERVER || multi->use_asymmetric_peer_id) + if (session->opt->mode != MODE_SERVER || multi->use_asymmetric_peer_id + || !session->opt->server) { return buf_printf(out, "ID=%x\n", multi->rx_peer_id); } @@ -1994,7 +1995,8 @@ } else { - /* We are not using pull or p2mp server, instead do P2P NCP */ + /* We are not using pull and are are either in real p2p mode + * or doing p2p negotiation as p2mp server */ iv_proto |= IV_PROTO_NCP_P2P; } @@ -2331,6 +2333,14 @@ /* With DCO we don't need the tx_peer_id atm */ multi->tx_peer_id = multi->rx_peer_id; } + unsigned int iv_proto = extract_iv_proto(multi->peer_info); + + if (iv_proto & IV_PROTO_NCP_P2P && multi->session->opt->push_peer_info_detail < 1) + { + /* If the peer is using NCP P2P we also use p2p to make connecting + * with p2p peers easier */ + multi->session->opt->push_peer_info_detail = 1; + } } } else diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index e860f6d..003b77e 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -515,7 +515,7 @@ } msg(D_TLS_DEBUG_LOW, "P2P mode NCP negotiation result: " - "TLS_export=%d, DATA_v2=%d, rx-peer-id %d, tx-peer-id %d, epoch=%d, cipher=%s", + "TLS_EKM=%d, DATA_v2=%d, rx-peer-id %d, tx-peer-id %d, epoch=%d, cipher=%s", (bool)(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT), multi->use_peer_id, multi->rx_peer_id, -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1719?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I8f3545f703126dbe96f809e69ad351749b14b1e1 Gerrit-Change-Number: 1719 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
