[Openvpn-devel] signal --dns support in peer info

Message ID 20220512231105.1076835-1-heiko@ist.eigentlich.net
State Rejected
Headers show
Series
  • [Openvpn-devel] signal --dns support in peer info
Related show

Commit Message

Heiko Hund May 12, 2022, 11:11 p.m.
Have clients set a bit in IV_PROTO, so that servers can make an informed
decision on whether to push --dns to the client. While unknown options
are ignored by clients when pushed, they generate a warning in the log.
That can be circumvented by server backends by checking if bit 7 is set.

Signed-off-by: Heiko Hund <heiko@ist.eigentlich.net>
---
 src/openvpn/ssl.c | 4 ++--
 src/openvpn/ssl.h | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

Comments

Arne Schwabe May 13, 2022, 7:14 a.m. | #1
Am 13.05.2022 um 01:11 schrieb Heiko Hund:
> Have clients set a bit in IV_PROTO, so that servers can make an informed
> decision on whether to push --dns to the client. While unknown options
> are ignored by clients when pushed, they generate a warning in the log.
> That can be circumvented by server backends by checking if bit 7 is set.
Acked-By: Arne Schwabe <arne@rfc2549.org>
Arne Schwabe May 13, 2022, 7:17 a.m. | #2
Am 13.05.2022 um 09:14 schrieb Arne Schwabe:
>
> Am 13.05.2022 um 01:11 schrieb Heiko Hund:
>> Have clients set a bit in IV_PROTO, so that servers can make an informed
>> decision on whether to push --dns to the client. While unknown options
>> are ignored by clients when pushed, they generate a warning in the log.
>> That can be circumvented by server backends by checking if bit 7 is set.
> Acked-By: Arne Schwabe <arne@rfc2549.org>
>
I retract my ACK. David noticed that the & in the patch should be an | 
and I didn't look closely enough.
Heiko Hund May 13, 2022, 9:33 a.m. | #3
On Freitag, 13. Mai 2022 09:17:49 CEST Arne Schwabe wrote:
> Am 13.05.2022 um 09:14 schrieb Arne Schwabe:
> > Am 13.05.2022 um 01:11 schrieb Heiko Hund:
> >> Have clients set a bit in IV_PROTO, so that servers can make an informed
> >> decision on whether to push --dns to the client. While unknown options
> >> are ignored by clients when pushed, they generate a warning in the log.
> >> That can be circumvented by server backends by checking if bit 7 is set.
> > 
> > Acked-By: Arne Schwabe <arne@rfc2549.org>
> 
> I retract my ACK. David noticed that the & in the patch should be an |
> and I didn't look closely enough.

Quite stupid, v2 incoming.

Patch

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 61dea996..12f51150 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1937,8 +1937,8 @@  push_peer_info(struct buffer *buf, struct tls_session *session)
     /* These are the IV variable that are sent to peers in p2p mode */
     if (session->opt->push_peer_info_detail > 0)
     {
-        /* support for P_DATA_V2 */
-        int iv_proto = IV_PROTO_DATA_V2;
+        /* support for P_DATA_V2 and the --dns option */
+        int iv_proto = IV_PROTO_DATA_V2 & IV_PROTO_DNS_OPTION;
 
         /* support for receiving push_reply before sending
          * push request, also signal that the client wants
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 0ba86d3e..c8802707 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -93,6 +93,9 @@ 
  * result. */
 #define IV_PROTO_NCP_P2P         (1<<5)
 
+/** Supports the --dns option introduced in version 2.6 */
+#define IV_PROTO_DNS_OPTION      (1<<6)
+
 /* Default field in X509 to be username */
 #define X509_USERNAME_FIELD_DEFAULT "CN"