Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1719?usp=email
to look at the new patch set (#3).
The following approvals got outdated and were removed:
Code-Review-1 by flichtenheld
Change subject: Support p2p NCP negotiation in p2mp mode
......................................................................
Support p2p NCP negotiation in p2mp mode
This sends the peer info of the server to a p2p mode client if it is
detected. This currently makes little difference as peer-id/DATAv2 does
not work without asymmetric peer-id support of the p2p mode client but
prepares for mesh/multipeer support.
Change-Id: I8f3545f703126dbe96f809e69ad351749b14b1e1
Signed-off-by: Arne Schwabe <[email protected]>
---
M src/openvpn/multi.c
M src/openvpn/ssl.c
M src/openvpn/ssl_ncp.c
3 files changed, 51 insertions(+), 7 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/19/1719/3
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index b870d89..3cc53bc 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1723,6 +1723,43 @@
gc_free(&gc);
}
+
+/**
+ * Generates warning for p2p mode peers.
+ */
+static void
+multi_client_set_protocol_warnings_p2p(struct context *c)
+{
+ struct tls_multi *multi = c->c2.tls_multi;
+ const struct tls_session *session = &multi->session[TM_ACTIVE];
+
+ /* we can support p2p clients but only if we and the other side
+ * support asymmetric peer-id */
+ msg(D_TLS_DEBUG_LOW, "Note: peer reports running in P2P mode "
+ "(no --pull/--client option). This will "
+ "probably not work as expected.");
+
+ /* Figure out which side is lacking asymmetric peer-id support and
+ * print appropriate warnings */
+ if (!multi->use_asymmetric_peer_id)
+ {
+ if (session->opt->dco_enabled)
+ {
+ msg(D_TLS_DEBUG_LOW, "Note: Supporting P2P mode peers requires "
+ "support of asymmetric peer-id which the "
+ "current DCO module does not support. Disable
"
+ "DCO or upgrade to a version of OpenVPN and "
+ "DCO that support asymmetric peer-id.");
+ }
+ if (extract_asymmetric_peer_id(multi->peer_info) == MAX_PEER_ID)
+ {
+ msg(D_TLS_DEBUG_LOW, "Note: Supporting P2P mode peers requires "
+ "support of asymmetric peer-id. The peer does
not "
+ "indicate it supports this.");
+ }
+ }
+}
+
/**
* Calculates the options that depend on the client capabilities
* based on local options and available peer info
@@ -1753,13 +1790,11 @@
return false;
}
- /* Print a warning if we detect the client being in P2P mode and will
- * not accept our pushed ciphers */
+ /* Print a warning if we detect the client being in P2P mode. The
+ * negotiations will be otherwise compatible */
if (proto & IV_PROTO_NCP_P2P)
{
- msg(M_WARN, "Note: peer reports running in P2P mode (no
--pull/--client "
- "option). It will not negotiate ciphers with this server. "
- "Expect this connection to fail.");
+ multi_client_set_protocol_warnings_p2p(c);
}
if (proto & IV_PROTO_REQUEST_PUSH)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 0e8b4bd..7499628 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1883,7 +1883,8 @@
/* In server mode we only add this when the client has announced its
* support for the feature */
- if (session->opt->mode != MODE_SERVER || multi->use_asymmetric_peer_id)
+ if (session->opt->mode != MODE_SERVER || multi->use_asymmetric_peer_id
+ || !session->opt->server)
{
return buf_printf(out, "ID=%x\n", multi->rx_peer_id);
}
@@ -2331,6 +2332,14 @@
/* With DCO we don't need the tx_peer_id atm */
multi->tx_peer_id = multi->rx_peer_id;
}
+ unsigned int iv_proto = extract_iv_proto(multi->peer_info);
+
+ if (iv_proto & IV_PROTO_NCP_P2P &&
multi->session->opt->push_peer_info_detail < 1)
+ {
+ /* If the peer is using NCP P2P we also enable p2p NCP allow
+ * peers in p2p mode to connect */
+ multi->session->opt->push_peer_info_detail = 1;
+ }
}
}
else
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index e860f6d..003b77e 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -515,7 +515,7 @@
}
msg(D_TLS_DEBUG_LOW, "P2P mode NCP negotiation result: "
- "TLS_export=%d, DATA_v2=%d, rx-peer-id %d, tx-peer-id
%d, epoch=%d, cipher=%s",
+ "TLS_EKM=%d, DATA_v2=%d, rx-peer-id %d, tx-peer-id
%d, epoch=%d, cipher=%s",
(bool)(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT),
multi->use_peer_id,
multi->rx_peer_id,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1719?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I8f3545f703126dbe96f809e69ad351749b14b1e1
Gerrit-Change-Number: 1719
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel