From patchwork Thu May 12 23:37:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heiko Hund X-Patchwork-Id: 2458 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.50]) by backend41.mail.ord1d.rsapps.net with LMTP id QCrKIDEnfmIqcQAAqwncew (envelope-from ) for ; Fri, 13 May 2022 05:38:57 -0400 Received: from proxy1.mail.iad3a.rsapps.net ([172.27.255.50]) by director12.mail.ord1d.rsapps.net with LMTP id SLMoNjEnfmIeHQAAIasKDg (envelope-from ) for ; Fri, 13 May 2022 05:38:57 -0400 Received: from smtp11.gate.iad3a ([172.27.255.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.iad3a.rsapps.net with LMTPS id UEv6LTEnfmK1ZwAA8TVjwQ (envelope-from ) for ; Fri, 13 May 2022 05:38:57 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=ist.eigentlich.net X-Suspicious-Flag: YES X-Classification-ID: 826a1952-d2a0-11ec-9afc-5254005eb44a-1-1 Received: from [216.105.38.7] ([216.105.38.7:36198] helo=lists.sourceforge.net) by smtp11.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 10/68-04369-1372E726; Fri, 13 May 2022 05:38:57 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1npRkD-0005gm-Hu; Fri, 13 May 2022 09:37:56 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1npRkB-0005gf-TU for openvpn-devel@lists.sourceforge.net; Fri, 13 May 2022 09:37:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=jtklA91TKytI9e89iFY2Xs6APEBpTmWNrCfyxYWTIPM=; b=HEoR+gRcHxy0qtSRjZVyrTuDxX RdbEXh7dWpLbuk9+Z9EK29Ke1in11RuAHT10XQjeK2hYR89UngwDxxHuBGwsICx5RYTHDOBveOgyD rtuuLUrWJsbV6Jt2mixFaWakLj/x476cYCy4f0IhMyK2fulvbKA8O0JJiNXmmUKGRSvI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=jtklA91TKytI9e89iFY2Xs6APEBpTmWNrCfyxYWTIPM=; b=KcXXYa8YStR2q425zJUCjXqRq0 rJSp2xll2QRbXe5+ywWjJkY0pr325UoBjxr2BhuIHX1GH6Gb72a4e3HxcpuDSW2cUcJm9zKtHK2l/ 46AlMsUrBk/Shm+50yCgVG3vmtGUNnbKfSQjoSecpEzBneAqqCSZdzoL8kIRdTpO4tro=; Received: from exit0.net ([85.25.119.185]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1npRk8-00Aimw-B0 for openvpn-devel@lists.sourceforge.net; Fri, 13 May 2022 09:37:54 +0000 Received: from coruscant.fritz.box (unknown [87.123.247.157]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by exit0.net (Postfix) with ESMTPSA id 8330164800A5 for ; Fri, 13 May 2022 11:37:43 +0200 (CEST) From: Heiko Hund To: openvpn-devel@lists.sourceforge.net Date: Fri, 13 May 2022 11:37:40 +0200 Message-Id: <20220513093740.1091639-1-heiko@ist.eigentlich.net> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20220512231105.1076835-1-heiko@ist.eigentlich.net> References: <20220512231105.1076835-1-heiko@ist.eigentlich.net> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Have clients set a bit in IV_PROTO, so that servers can make an informed decision on whether to push --dns to the client. While unknown options are ignored by clients when pushed, they generate a warn [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1npRk8-00Aimw-B0 Subject: [Openvpn-devel] [PATCH v2] signal --dns support in peer info X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Have clients set a bit in IV_PROTO, so that servers can make an informed decision on whether to push --dns to the client. While unknown options are ignored by clients when pushed, they generate a warning in the log. That can be circumvented by server backends by checking if bit 7 is set. Signed-off-by: Heiko Hund Acked-By: David Sommerseth --- src/openvpn/ssl.c | 3 +++ src/openvpn/ssl.h | 3 +++ 2 files changed, 6 insertions(+) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 61dea996..24d7f3f4 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1940,6 +1940,9 @@ push_peer_info(struct buffer *buf, struct tls_session *session) /* support for P_DATA_V2 */ int iv_proto = IV_PROTO_DATA_V2; + /* support for the --dns option */ + iv_proto |= IV_PROTO_DNS_OPTION; + /* support for receiving push_reply before sending * push request, also signal that the client wants * to get push-reply messages without without requiring a round diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 0ba86d3e..c8802707 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -93,6 +93,9 @@ * result. */ #define IV_PROTO_NCP_P2P (1<<5) +/** Supports the --dns option introduced in version 2.6 */ +#define IV_PROTO_DNS_OPTION (1<<6) + /* Default field in X509 to be username */ #define X509_USERNAME_FIELD_DEFAULT "CN"