diff mbox series

[Openvpn-devel,12/25] dco: check that pulled options are compatible

Message ID 20220624083809.23487-13-a@unstable.cc
State Changes Requested
Headers show
Series ovpn-dco: introduce data-channel offload support | expand

Commit Message

Antonio Quartulli June 23, 2022, 10:37 p.m. UTC 
A server may push options that are not compatible with DCO.
In this case we should log a message and bail out.

Signed-off-by: Antonio Quartulli <a@unstable.cc>
---
 src/openvpn/init.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

Comments

Arne Schwabe June 28, 2022, 4:32 a.m. UTC | #1 
Am 24.06.22 um 10:37 schrieb Antonio Quartulli:
> A server may push options that are not compatible with DCO.
> In this case we should log a message and bail out.

Acked-By: Arne Schwabe <arne@rfc2549.org>
Gert Doering July 14, 2022, 10:14 a.m. UTC | #2 
Hi,

On Fri, Jun 24, 2022 at 10:37:56AM +0200, Antonio Quartulli wrote:
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index b0a4b252..091cbd24 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -2219,6 +2219,19 @@ do_deferred_p2p_ncp(struct context *c)
>      return true;
>  }
>  
> +
> +static bool
> +check_dco_pull_options(struct options *o)
> +{

Nitpicking a bit - the "other" DCO option check functions are in dco.c
(not yet, but in the patches leading up to this), so why is this one in
init.c?

gert
Antonio Quartulli July 18, 2022, 12:54 p.m. UTC | #3 
Hi,

On 14/07/2022 22:14, Gert Doering wrote:
> Hi,
> 
> On Fri, Jun 24, 2022 at 10:37:56AM +0200, Antonio Quartulli wrote:
>> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
>> index b0a4b252..091cbd24 100644
>> --- a/src/openvpn/init.c
>> +++ b/src/openvpn/init.c
>> @@ -2219,6 +2219,19 @@ do_deferred_p2p_ncp(struct context *c)
>>       return true;
>>   }
>>   
>> +
>> +static bool
>> +check_dco_pull_options(struct options *o)
>> +{
> 
> Nitpicking a bit - the "other" DCO option check functions are in dco.c
> (not yet, but in the patches leading up to this), so why is this one in
> init.c?

good point. will move it to dco.c and send v2

Cheers,

> 
> gert
diff mbox series

Patch

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b0a4b252..091cbd24 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2219,6 +2219,19 @@  do_deferred_p2p_ncp(struct context *c)
     return true;
 }
 
+
+static bool
+check_dco_pull_options(struct options *o)
+{
+    if (!o->use_peer_id)
+    {
+        msg(D_TLS_ERRORS, "OPTIONS IMPORT: Server did not request DATA_V2 packet "
+            "format required for data channel offload");
+        return false;
+    }
+    return true;
+}
+
 /*
  * Handle non-tun-related pulled options.
  */
@@ -2341,6 +2354,16 @@  finish_options(struct context *c)
         return false;
     }
 
+    /* Check if the pushed options are compatible with DCO if we have
+     * DCO enabled */
+    if (dco_enabled(&c->options) && !check_dco_pull_options(&c->options))
+    {
+        msg(D_TLS_ERRORS, "OPTIONS ERROR: pushed options are incompatible with "
+            "data channel offload. Use --disable-dco to connect"
+            "to this server");
+        return false;
+    }
+
     return true;
 }