From patchwork Thu May 12 13:11:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Heiko Hund X-Patchwork-Id: 2455 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id SO9hFmeUfWKEcgAAqwncew (envelope-from ) for ; Thu, 12 May 2022 19:12:39 -0400 Received: from proxy17.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id IHzfH2eUfWIIWAAApN4f7A (envelope-from ) for ; Thu, 12 May 2022 19:12:39 -0400 Received: from smtp24.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.ord1d.rsapps.net with LMTPS id sMu5H2eUfWLPXQAAWC7mWg (envelope-from ) for ; Thu, 12 May 2022 19:12:39 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=ist.eigentlich.net X-Suspicious-Flag: YES X-Classification-ID: ffaedbda-d248-11ec-90bf-52540091a1c4-1-1 Received: from [216.105.38.7] ([216.105.38.7:40710] helo=lists.sourceforge.net) by smtp24.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id BE/C9-19047-F549D726; Thu, 12 May 2022 19:12:31 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1npHxq-0000wK-G3; Thu, 12 May 2022 23:11:21 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1npHxo-0000wE-RG for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 23:11:19 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=F689334gtkjebqwTOjlFD8GbEBZ1dpaaIfE1PMU/6sA=; b=hIp/wNjZCq71Zuxi3TzKQO3lyH uui+vZS5yhdn1+psmE0Ak00psGuT4CLUSyhl+MlH8mEziwV6/j//9gznsQtZHpf6Ks1sJjG1LQcBj 7SIo6FxgR6YI5fe3ZUVsmvcAgUAtHXSWD7sT2arRjAiBgBeSBKFJquW1Sh+5Biq+eqlk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=F689334gtkjebqwTOjlFD8GbEBZ1dpaaIfE1PMU/6sA=; b=Y 4lbzYuBPC0WEOgsNlM9+G9DN/fab5Wmvnz27ipAozIk/LCzMxkt24Bt+gf1fDxph9jtU2+/HrxXIg LYTbjmaX9mLKySP+wIglzOx3cbuGFkTad+QHFWCM6oPd3tin4NW45fPDwy4DOIg4jC7xU8OdDSXo/ XWG9RO9xRhYDM+wk=; Received: from exit0.net ([85.25.119.185]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1npHxm-0007GA-KZ for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 23:11:19 +0000 Received: from coruscant.fritz.box (unknown [87.123.245.251]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by exit0.net (Postfix) with ESMTPSA id DCE166480169 for ; Fri, 13 May 2022 01:11:08 +0200 (CEST) From: Heiko Hund To: openvpn-devel@lists.sourceforge.net Date: Fri, 13 May 2022 01:11:05 +0200 Message-Id: <20220512231105.1076835-1-heiko@ist.eigentlich.net> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Have clients set a bit in IV_PROTO, so that servers can make an informed decision on whether to push --dns to the client. While unknown options are ignored by clients when pushed, they generate a warn [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1npHxm-0007GA-KZ Subject: [Openvpn-devel] [PATCH] signal --dns support in peer info X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Have clients set a bit in IV_PROTO, so that servers can make an informed decision on whether to push --dns to the client. While unknown options are ignored by clients when pushed, they generate a warning in the log. That can be circumvented by server backends by checking if bit 7 is set. Signed-off-by: Heiko Hund Acked-By: Arne Schwabe --- src/openvpn/ssl.c | 4 ++-- src/openvpn/ssl.h | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 61dea996..12f51150 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1937,8 +1937,8 @@ push_peer_info(struct buffer *buf, struct tls_session *session) /* These are the IV variable that are sent to peers in p2p mode */ if (session->opt->push_peer_info_detail > 0) { - /* support for P_DATA_V2 */ - int iv_proto = IV_PROTO_DATA_V2; + /* support for P_DATA_V2 and the --dns option */ + int iv_proto = IV_PROTO_DATA_V2 & IV_PROTO_DNS_OPTION; /* support for receiving push_reply before sending * push request, also signal that the client wants diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 0ba86d3e..c8802707 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -93,6 +93,9 @@ * result. */ #define IV_PROTO_NCP_P2P (1<<5) +/** Supports the --dns option introduced in version 2.6 */ +#define IV_PROTO_DNS_OPTION (1<<6) + /* Default field in X509 to be username */ #define X509_USERNAME_FIELD_DEFAULT "CN"