| Message ID | 20220512231105.1076835-1-heiko@ist.eigentlich.net |
|---|---|
| State | Rejected |
| Headers | show |
| Series | [Openvpn-devel] signal --dns support in peer info | expand |
Am 13.05.2022 um 01:11 schrieb Heiko Hund: > Have clients set a bit in IV_PROTO, so that servers can make an informed > decision on whether to push --dns to the client. While unknown options > are ignored by clients when pushed, they generate a warning in the log. > That can be circumvented by server backends by checking if bit 7 is set. Acked-By: Arne Schwabe <arne@rfc2549.org>
Am 13.05.2022 um 09:14 schrieb Arne Schwabe: > > Am 13.05.2022 um 01:11 schrieb Heiko Hund: >> Have clients set a bit in IV_PROTO, so that servers can make an informed >> decision on whether to push --dns to the client. While unknown options >> are ignored by clients when pushed, they generate a warning in the log. >> That can be circumvented by server backends by checking if bit 7 is set. > Acked-By: Arne Schwabe <arne@rfc2549.org> > I retract my ACK. David noticed that the & in the patch should be an | and I didn't look closely enough.
On Freitag, 13. Mai 2022 09:17:49 CEST Arne Schwabe wrote: > Am 13.05.2022 um 09:14 schrieb Arne Schwabe: > > Am 13.05.2022 um 01:11 schrieb Heiko Hund: > >> Have clients set a bit in IV_PROTO, so that servers can make an informed > >> decision on whether to push --dns to the client. While unknown options > >> are ignored by clients when pushed, they generate a warning in the log. > >> That can be circumvented by server backends by checking if bit 7 is set. > > > > Acked-By: Arne Schwabe <arne@rfc2549.org> > > I retract my ACK. David noticed that the & in the patch should be an | > and I didn't look closely enough. Quite stupid, v2 incoming.
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 61dea996..12f51150 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1937,8 +1937,8 @@ push_peer_info(struct buffer *buf, struct tls_session *session) /* These are the IV variable that are sent to peers in p2p mode */ if (session->opt->push_peer_info_detail > 0) { - /* support for P_DATA_V2 */ - int iv_proto = IV_PROTO_DATA_V2; + /* support for P_DATA_V2 and the --dns option */ + int iv_proto = IV_PROTO_DATA_V2 & IV_PROTO_DNS_OPTION; /* support for receiving push_reply before sending * push request, also signal that the client wants diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 0ba86d3e..c8802707 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -93,6 +93,9 @@ * result. */ #define IV_PROTO_NCP_P2P (1<<5) +/** Supports the --dns option introduced in version 2.6 */ +#define IV_PROTO_DNS_OPTION (1<<6) + /* Default field in X509 to be username */ #define X509_USERNAME_FIELD_DEFAULT "CN"
Have clients set a bit in IV_PROTO, so that servers can make an informed decision on whether to push --dns to the client. While unknown options are ignored by clients when pushed, they generate a warning in the log. That can be circumvented by server backends by checking if bit 7 is set. Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net> --- src/openvpn/ssl.c | 4 ++-- src/openvpn/ssl.h | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-)