From patchwork Mon Jul 18 22:07:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2593 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id mBDPMuZn1mLJNwAAIUCqbw (envelope-from ) for ; Tue, 19 Jul 2022 04:14:30 -0400 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director15.mail.ord1d.rsapps.net with LMTP id 2Mu1MuZn1mJnFAAAIcMcQg (envelope-from ) for ; Tue, 19 Jul 2022 04:14:30 -0400 Received: from smtp22.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTPS id GH5fMuZn1mKvVgAAyH2SIw (envelope-from ) for ; Tue, 19 Jul 2022 04:14:30 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp22.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: d00594c4-073a-11ed-b333-5254001a15c2-1-1 Received: from [216.105.38.7] ([216.105.38.7:43680] helo=lists.sourceforge.net) by smtp22.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id DD/32-17852-6E766D26; Tue, 19 Jul 2022 04:14:30 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1oDiMC-0006ll-AX; Tue, 19 Jul 2022 08:13:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oDiMA-0006ku-SN for openvpn-devel@lists.sourceforge.net; Tue, 19 Jul 2022 08:13:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+AZ2rQAKQPVcFSMV7f41fhP5Ko2U/oy3FmeJeT7MHGM=; b=Yw6g9nKPgxLBwk5JUlR8QMQrim 9JadrWH5WOL9gmiHLipljJrr+8021mc326oWnOcdvnzYFPPOF0qsl6g3ZtKAiQ01SzSY0frAsRe1X bKrPRih8BrD4+fEP+7Cfb4oWkPsnmtIDyrKpRAQVXFd4tRmU5h3RpEJ3FyOdf3CTp8Ps=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+AZ2rQAKQPVcFSMV7f41fhP5Ko2U/oy3FmeJeT7MHGM=; b=b1PR+84bghAHtBx7YOhInxZBTk ZfujoNSgO6gyz7aErXy6b7CFFVOmGo/KxBCZqbtlxt5+XsRiAjibhjP9XwpUP/1hPUhd2v0haPQyI uHa/yhgN10v7oqOFdfJpAQSP0+XZmXwAt1LPQLwEsFK6QpFSdUiLUn2WIm5E9ep56F4Q=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1oDiM5-0003Ac-P3 for openvpn-devel@lists.sourceforge.net; Tue, 19 Jul 2022 08:13:26 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Jul 2022 10:07:15 +0200 Message-Id: <20220719080715.1445-1-a@unstable.cc> In-Reply-To: 20220718231240.15810-1-a@unstable.cc References: MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: A server may push options that are not compatible with DCO. In this case we should log a message and bail out. Signed-off-by: Antonio Quartulli --- Changes from v2: * split if condition on two lines Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1oDiM5-0003Ac-P3 Subject: [Openvpn-devel] [PATCH v3 12/25] dco: check that pulled options are compatible X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox A server may push options that are not compatible with DCO. In this case we should log a message and bail out. Signed-off-by: Antonio Quartulli --- Changes from v2: * split if condition on two lines Changes from v1: * move check_dco_pull_options() to dco.c (renamed to dco_check_pull_options()) * make options argument const * add msglevel as first argument src/openvpn/dco.c | 12 ++++++++++++ src/openvpn/dco.h | 17 +++++++++++++++++ src/openvpn/init.c | 11 +++++++++++ 3 files changed, 40 insertions(+) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index b39759e1..fa4a8487 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -339,4 +339,16 @@ dco_check_option_conflict(int msglevel, const struct options *o) return true; } +bool +dco_check_pull_options(int msglevel, const struct options *o) +{ + if (!o->use_peer_id) + { + msg(msglevel, "OPTIONS IMPORT: Server did not request DATA_V2 packet " + "format required for data channel offload"); + return false; + } + return true; +} + #endif /* defined(ENABLE_DCO) */ diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index cb7f7e4f..a4bf6e37 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -65,6 +65,17 @@ bool dco_available(int msglevel); */ bool dco_check_option_conflict(int msglevel, const struct options *o); +/** + * Check whether any of the options pushed by the server is not supported by + * our current dco implementation. If so print a warning at warning level + * for the first conflicting option found and return false. + * + * @param msglevel the msg level to use to print the warnings + * @param o the options struct that hold the options + * @return true if no conflict was detected, false otherwise + */ +bool dco_check_pull_options(int msglevel, const struct options *o); + /** * Initialize the DCO context * @@ -154,6 +165,12 @@ dco_check_option_conflict(int msglevel, const struct options *o) return false; } +static inline bool +dco_check_pull_options(int msglevel, const struct options *o) +{ + return false; +} + static inline bool ovpn_dco_init(int mode, dco_context_t *dco) { diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 8e1221dd..81fd49fa 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2366,6 +2366,17 @@ finish_options(struct context *c) return false; } + /* Check if the pushed options are compatible with DCO if we have + * DCO enabled */ + if (dco_enabled(&c->options) + && !dco_check_pull_options(D_TLS_ERRORS, &c->options)) + { + msg(D_TLS_ERRORS, "OPTIONS ERROR: pushed options are incompatible with " + "data channel offload. Use --disable-dco to connect" + "to this server"); + return false; + } + return true; }