cron2 has uploaded a new patch set (#4) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1720?usp=email )
The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Extract handle_connection_attempt from multi_get_create_instance_udp ...................................................................... Extract handle_connection_attempt from multi_get_create_instance_udp The multi_get_create_instance_udp is quite large. This factors out the one branch that handles and creates new connection attempts. Change-Id: I6a032465e66b49ab0ce8b1a84ead8d9acef918de Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1720 Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg37336.html Signed-off-by: Gert Doering <[email protected]> --- M src/openvpn/mudp.c 1 file changed, 72 insertions(+), 50 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/20/1720/4 diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 143a330..f919b67 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -194,12 +194,81 @@ return false; } -/* +/** + * Handles a packet if no existing session exists for this incoming packet. + * + * It will either send a reply with a hmac cookie if this is the first + * packet of a three-way handshake or create a multi_instance if it is a + * packet that completes the three-way handshake. + */ +static struct multi_instance * +handle_connection_attempt(struct multi_context *m, + struct link_socket *sock, + struct mroute_addr *real, + const uint64_t hv, + struct hash_bucket *bucket) +{ + struct hash *hash = m->hash; + struct tls_pre_decrypt_state state = { 0 }; + struct multi_instance *mi = NULL; + struct gc_arena gc = gc_new(); + + if (m->deferred_shutdown_signal.signal_received) + { + msg(D_MULTI_ERRORS, + "MULTI: Connection attempt from %s ignored while server is " + "shutting down", + mroute_addr_print(real, &gc)); + } + else if (do_pre_decrypt_check(m, &state, *real, sock)) + { + /* This is an unknown session but with valid tls-auth/tls-crypt + * (or no auth at all). If this is the initial packet of a + * session, we just send a reply with a HMAC session id and + * do not generate a session slot */ + + if (frequency_limit_event_allowed(m->new_connection_limiter)) + { + /* a successful three-way handshake only counts against + * connect-freq but not against connect-freq-initial */ + reflect_filter_rate_limit_decrease(m->initial_rate_limiter); + + mi = multi_create_instance(m, real, sock); + if (mi) + { + hash_add_fast(hash, bucket, &mi->real, hv, mi); + mi->did_real_hash = true; + multi_assign_peer_id(m, mi); + + /* If we have a session id already, ensure that the + * state is using the same */ + if (session_id_defined(&state.server_session_id) + && session_id_defined((&state.peer_session_id))) + { + mi->context.c2.tls_multi->n_sessions++; + struct tls_session *session = + &mi->context.c2.tls_multi->session[TM_INITIAL]; + session_skip_to_pre_start(session, &state, &m->top.c2.from); + } + } + } + else + { + msg(D_MULTI_ERRORS, + "MULTI: Connection from %s would exceed new connection frequency limit as controlled by --connect-freq", + mroute_addr_print(real, &gc)); + } + } + free_tls_pre_decrypt_state(&state); + gc_free(&gc); + return mi; +} + +/** * Get a client instance based on real address. If * the instance doesn't exist, create it while * maintaining real address hash table atomicity. */ - struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated, struct link_socket *sock) { @@ -258,54 +327,7 @@ /* we have no existing multi instance for this connection */ if (!mi) { - struct tls_pre_decrypt_state state = { 0 }; - if (m->deferred_shutdown_signal.signal_received) - { - msg(D_MULTI_ERRORS, - "MULTI: Connection attempt from %s ignored while server is " - "shutting down", - mroute_addr_print(&real, &gc)); - } - else if (do_pre_decrypt_check(m, &state, real, sock)) - { - /* This is an unknown session but with valid tls-auth/tls-crypt - * (or no auth at all). If this is the initial packet of a - * session, we just send a reply with a HMAC session id and - * do not generate a session slot */ - - if (frequency_limit_event_allowed(m->new_connection_limiter)) - { - /* a successful three-way handshake only counts against - * connect-freq but not against connect-freq-initial */ - reflect_filter_rate_limit_decrease(m->initial_rate_limiter); - - mi = multi_create_instance(m, &real, sock); - if (mi) - { - hash_add_fast(hash, bucket, &mi->real, hv, mi); - mi->did_real_hash = true; - multi_assign_peer_id(m, mi); - - /* If we have a session id already, ensure that the - * state is using the same */ - if (session_id_defined(&state.server_session_id) - && session_id_defined((&state.peer_session_id))) - { - mi->context.c2.tls_multi->n_sessions++; - struct tls_session *session = - &mi->context.c2.tls_multi->session[TM_INITIAL]; - session_skip_to_pre_start(session, &state, &m->top.c2.from); - } - } - } - else - { - msg(D_MULTI_ERRORS, - "MULTI: Connection from %s would exceed new connection frequency limit as controlled by --connect-freq", - mroute_addr_print(&real, &gc)); - } - } - free_tls_pre_decrypt_state(&state); + mi = handle_connection_attempt(m, sock, &real, hv, bucket); } #ifdef ENABLE_DEBUG -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1720?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6a032465e66b49ab0ce8b1a84ead8d9acef918de Gerrit-Change-Number: 1720 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos <[email protected]> Gerrit-Reviewer: flichtenheld <[email protected]> Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
