Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1479?usp=email
to review the following change.
Change subject: dco: ignore key transition window logic
......................................................................
dco: ignore key transition window logic
Userspace enforces a transition window when moving to a new key, which
involves renegotiating the key, installing it as a secondary one, and
waiting for an interval before fully adopting it. Although the DCO part
of this mechanism is set up in userspace, none of the drivers actually
implements it in the kernel.
Therefore we ignore the transition window and treat the newly installed
key as the primary one, allowing userspace to negotiate, install, and
swap it immediately.
Change-Id: I3d506725e69c09a9c77d6a9ba71a00e112e7abb6
---
M src/openvpn/dco.c
M src/openvpn/forward.c
2 files changed, 11 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/79/1479/1
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 26b8645..a974206 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -78,6 +78,15 @@
multi->dco_keys_installed++;
ks->dco_status =
(slot == OVPN_KEY_SLOT_PRIMARY) ? DCO_INSTALLED_PRIMARY :
DCO_INSTALLED_SECONDARY;
+
+ /* TODO: currently none of the DCO drivers support a transition
+ * window when moving to a new key, so we need this hack to
+ * trick userspace into thinking that the newly installed key is the
+ * primary one (see dco_update_keys).
+ * This line should be removed once all drivers implement the
+ * transition window logic.
+ */
+ ks->auth_deferred_expire = now;
}
return ret;
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 5004e35..0827d63 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -221,6 +221,8 @@
* on ks->auth_deferred_expire that DCO needs to check that the normal
* TLS state engine does not check. So we call the \c check_dco_key_status
* function even if tmp_status does not indicate that something has
changed.
+ *
+ * TODO: this logic is missing on the kernel side.
*/
check_dco_key_status(c);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1479?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I3d506725e69c09a9c77d6a9ba71a00e112e7abb6
Gerrit-Change-Number: 1479
Gerrit-PatchSet: 1
Gerrit-Owner: ralf_lici <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
