Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1720?usp=email
to look at the new patch set (#3).
The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld
Change subject: Extract handle_connection_attempt from
multi_get_create_instance_udp
......................................................................
Extract handle_connection_attempt from multi_get_create_instance_udp
The multi_get_create_instance_udp is quite large. This factors out the
one branch that handles and creates new connection attempts.
Change-Id: I6a032465e66b49ab0ce8b1a84ead8d9acef918de
Signed-off-by: Arne Schwabe <[email protected]>
---
M src/openvpn/mudp.c
1 file changed, 72 insertions(+), 50 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/20/1720/3
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index b1de446..7d4fee1 100644
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -194,12 +194,81 @@
return false;
}
-/*
+/**
+ * Handles a packet if no existing session exists for this incoming packet.
+ *
+ * It will either to send a reply with a hmac cookie if this is the first
+ * packet of a three-way handshake or create a multi_instance if it is a
+ * packet that completes the three-way handshake.
+ */
+static struct multi_instance *
+handle_connection_attempt(struct multi_context *m,
+ struct link_socket *sock,
+ struct mroute_addr *real,
+ const uint64_t hv,
+ struct hash_bucket *bucket)
+{
+ struct hash *hash = m->hash;
+ struct tls_pre_decrypt_state state = { 0 };
+ struct multi_instance *mi = NULL;
+ struct gc_arena gc = gc_new();
+
+ if (m->deferred_shutdown_signal.signal_received)
+ {
+ msg(D_MULTI_ERRORS,
+ "MULTI: Connection attempt from %s ignored while server is "
+ "shutting down",
+ mroute_addr_print(real, &gc));
+ }
+ else if (do_pre_decrypt_check(m, &state, *real, sock))
+ {
+ /* This is an unknown session but with valid tls-auth/tls-crypt
+ * (or no auth at all). If this is the initial packet of a
+ * session, we just send a reply with a HMAC session id and
+ * do not generate a session slot */
+
+ if (frequency_limit_event_allowed(m->new_connection_limiter))
+ {
+ /* a successful three-way handshake only counts against
+ * connect-freq but not against connect-freq-initial */
+ reflect_filter_rate_limit_decrease(m->initial_rate_limiter);
+
+ mi = multi_create_instance(m, real, sock);
+ if (mi)
+ {
+ hash_add_fast(hash, bucket, &mi->real, hv, mi);
+ mi->did_real_hash = true;
+ multi_assign_peer_id(m, mi);
+
+ /* If we have a session id already, ensure that the
+ * state is using the same */
+ if (session_id_defined(&state.server_session_id)
+ && session_id_defined((&state.peer_session_id)))
+ {
+ mi->context.c2.tls_multi->n_sessions++;
+ struct tls_session *session =
+ &mi->context.c2.tls_multi->session[TM_INITIAL];
+ session_skip_to_pre_start(session, &state,
&m->top.c2.from);
+ }
+ }
+ }
+ else
+ {
+ msg(D_MULTI_ERRORS,
+ "MULTI: Connection from %s would exceed new connection
frequency limit as controlled by --connect-freq",
+ mroute_addr_print(real, &gc));
+ }
+ }
+ free_tls_pre_decrypt_state(&state);
+ gc_free(&gc);
+ return mi;
+}
+
+/**
* Get a client instance based on real address. If
* the instance doesn't exist, create it while
* maintaining real address hash table atomicity.
*/
-
struct multi_instance *
multi_get_create_instance_udp(struct multi_context *m, bool *floated, struct
link_socket *sock)
{
@@ -258,54 +327,7 @@
/* we have no existing multi instance for this connection */
if (!mi)
{
- struct tls_pre_decrypt_state state = { 0 };
- if (m->deferred_shutdown_signal.signal_received)
- {
- msg(D_MULTI_ERRORS,
- "MULTI: Connection attempt from %s ignored while server is
"
- "shutting down",
- mroute_addr_print(&real, &gc));
- }
- else if (do_pre_decrypt_check(m, &state, real, sock))
- {
- /* This is an unknown session but with valid tls-auth/tls-crypt
- * (or no auth at all). If this is the initial packet of a
- * session, we just send a reply with a HMAC session id and
- * do not generate a session slot */
-
- if (frequency_limit_event_allowed(m->new_connection_limiter))
- {
- /* a successful three-way handshake only counts against
- * connect-freq but not against connect-freq-initial */
-
reflect_filter_rate_limit_decrease(m->initial_rate_limiter);
-
- mi = multi_create_instance(m, &real, sock);
- if (mi)
- {
- hash_add_fast(hash, bucket, &mi->real, hv, mi);
- mi->did_real_hash = true;
- multi_assign_peer_id(m, mi);
-
- /* If we have a session id already, ensure that the
- * state is using the same */
- if (session_id_defined(&state.server_session_id)
- && session_id_defined((&state.peer_session_id)))
- {
- mi->context.c2.tls_multi->n_sessions++;
- struct tls_session *session =
- &mi->context.c2.tls_multi->session[TM_INITIAL];
- session_skip_to_pre_start(session, &state,
&m->top.c2.from);
- }
- }
- }
- else
- {
- msg(D_MULTI_ERRORS,
- "MULTI: Connection from %s would exceed new connection
frequency limit as controlled by --connect-freq",
- mroute_addr_print(&real, &gc));
- }
- }
- free_tls_pre_decrypt_state(&state);
+ mi = handle_connection_attempt(m, sock, &real, hv, bucket);
}
#ifdef ENABLE_DEBUG
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1720?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I6a032465e66b49ab0ce8b1a84ead8d9acef918de
Gerrit-Change-Number: 1720
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
