diff options
| author | Arne Schwabe | 2022-09-14 18:50:41 +0200 |
|---|---|---|
| committer | Gert Doering | 2022-09-18 16:30:32 +0200 |
| commit | 179b3728b71013413885e453e477997f5a396f78 (patch) | |
| tree | 1200443c055887f569a9956bf1908decba20e44f /src/openvpn/sig.c | |
| parent | 5ac33a88b10584c3e52dc0c01dad2571b75be239 (diff) | |
| download | openvpn-179b3728b71013413885e453e477997f5a396f78.zip openvpn-179b3728b71013413885e453e477997f5a396f78.tar.gz | |
Implement exit notification via control channel
Current exit notification relies on data channel messages with specific
prefix. Adding these to new data channel modules (DCO) adds unncessary
complexity for the data for messages that from their idea belong to the
control channel anyway.
This patch adds announcing support for control channel and sending/receving
it. We use the simple EXIT message for this.
Patch v2: add comment about protocol-flags to be not a user visible option,
fix various grammar mistakes, remove unused argument to
receive_exit_message
Patch v3: rename data_channel_crypto_flags to imported_protocol_flags
add tls-ekm to protocol-flags.
Patch v4: rebase, use a buffer for the code that prepares the push reply
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220914165041.2658423-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25209.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/sig.c')
| -rw-r--r-- | src/openvpn/sig.c | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/src/openvpn/sig.c b/src/openvpn/sig.c index e06edd2..65cd25c 100644 --- a/src/openvpn/sig.c +++ b/src/openvpn/sig.c @@ -321,20 +321,46 @@ print_status(const struct context *c, struct status_output *so) gc_free(&gc); } + +/* Small helper function to determine if we should send the exit notification + * via control channel */ +static inline bool +cc_exit_notify_enabled(struct context *c) +{ + /* Check if we have TLS active at all */ + if (!c->c2.tls_multi) + { + return false; + } + + const struct key_state *ks = get_primary_key(c->c2.tls_multi); + return (ks->crypto_options.flags & CO_USE_CC_EXIT_NOTIFY); +} + /* * Handle the triggering and time-wait of explicit * exit notification. */ - static void process_explicit_exit_notification_init(struct context *c) { msg(M_INFO, "SIGTERM received, sending exit notification to peer"); + /* init the timeout to send the OCC_EXIT messages if cc exit is not + * enabled and also to exit after waiting for retries of resending of + * exit messages */ event_timeout_init(&c->c2.explicit_exit_notification_interval, 1, 0); reset_coarse_timers(c); + signal_reset(c->sig); halt_non_edge_triggered_signals(); c->c2.explicit_exit_notification_time_wait = now; + + /* Check if we are in TLS mode and should send the notification via data + * channel */ + if (cc_exit_notify_enabled(c)) + { + send_control_channel_string(c, "EXIT", D_PUSH); + } } void @@ -351,7 +377,7 @@ process_explicit_exit_notification_timer_wakeup(struct context *c) c->sig->signal_received = SIGTERM; c->sig->signal_text = "exit-with-notification"; } - else + else if (!cc_exit_notify_enabled(c)) { c->c2.occ_op = OCC_EXIT; } |