Message ID | 20220624083809.23487-13-a@unstable.cc |
---|---|
State | Changes Requested |
Headers | show |
Series | ovpn-dco: introduce data-channel offload support | expand |
Am 24.06.22 um 10:37 schrieb Antonio Quartulli: > A server may push options that are not compatible with DCO. > In this case we should log a message and bail out. Acked-By: Arne Schwabe <arne@rfc2549.org>
Hi, On Fri, Jun 24, 2022 at 10:37:56AM +0200, Antonio Quartulli wrote: > diff --git a/src/openvpn/init.c b/src/openvpn/init.c > index b0a4b252..091cbd24 100644 > --- a/src/openvpn/init.c > +++ b/src/openvpn/init.c > @@ -2219,6 +2219,19 @@ do_deferred_p2p_ncp(struct context *c) > return true; > } > > + > +static bool > +check_dco_pull_options(struct options *o) > +{ Nitpicking a bit - the "other" DCO option check functions are in dco.c (not yet, but in the patches leading up to this), so why is this one in init.c? gert
Hi, On 14/07/2022 22:14, Gert Doering wrote: > Hi, > > On Fri, Jun 24, 2022 at 10:37:56AM +0200, Antonio Quartulli wrote: >> diff --git a/src/openvpn/init.c b/src/openvpn/init.c >> index b0a4b252..091cbd24 100644 >> --- a/src/openvpn/init.c >> +++ b/src/openvpn/init.c >> @@ -2219,6 +2219,19 @@ do_deferred_p2p_ncp(struct context *c) >> return true; >> } >> >> + >> +static bool >> +check_dco_pull_options(struct options *o) >> +{ > > Nitpicking a bit - the "other" DCO option check functions are in dco.c > (not yet, but in the patches leading up to this), so why is this one in > init.c? good point. will move it to dco.c and send v2 Cheers, > > gert
diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b0a4b252..091cbd24 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2219,6 +2219,19 @@ do_deferred_p2p_ncp(struct context *c) return true; } + +static bool +check_dco_pull_options(struct options *o) +{ + if (!o->use_peer_id) + { + msg(D_TLS_ERRORS, "OPTIONS IMPORT: Server did not request DATA_V2 packet " + "format required for data channel offload"); + return false; + } + return true; +} + /* * Handle non-tun-related pulled options. */ @@ -2341,6 +2354,16 @@ finish_options(struct context *c) return false; } + /* Check if the pushed options are compatible with DCO if we have + * DCO enabled */ + if (dco_enabled(&c->options) && !check_dco_pull_options(&c->options)) + { + msg(D_TLS_ERRORS, "OPTIONS ERROR: pushed options are incompatible with " + "data channel offload. Use --disable-dco to connect" + "to this server"); + return false; + } + return true; }
A server may push options that are not compatible with DCO. In this case we should log a message and bail out. Signed-off-by: Antonio Quartulli <a@unstable.cc> --- src/openvpn/init.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)