From patchwork Wed Aug 3 20:40:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2625 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 2A36EANq62KQDQAAIUCqbw (envelope-from ) for ; Thu, 04 Aug 2022 02:41:07 -0400 Received: from proxy17.mail.ord1d.rsapps.net ([172.30.191.6]) by director15.mail.ord1d.rsapps.net with LMTP id SIbVEANq62JcXAAAIcMcQg (envelope-from ) for ; Thu, 04 Aug 2022 02:41:07 -0400 Received: from smtp26.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.ord1d.rsapps.net with LMTPS id sJueEANq62L+CwAAWC7mWg (envelope-from ) for ; Thu, 04 Aug 2022 02:41:07 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp26.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 6ac440be-13c0-11ed-8117-525400c5b129-1-1 Received: from [216.105.38.7] ([216.105.38.7:53238] helo=lists.sourceforge.net) by smtp26.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id DC/5F-30889-20A6BE26; Thu, 04 Aug 2022 02:41:07 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1oJUWU-0005ZH-Fu; Thu, 04 Aug 2022 06:39:59 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oJUWQ-0005Z9-Mt for openvpn-devel@lists.sourceforge.net; Thu, 04 Aug 2022 06:39:55 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Vn6A76jIN/EOiIeR7pp+d3gEolFTCB28j69mrgqm/dM=; b=ba7T41QqN8HjD4vcOgtYg416Ib MIOBnpi8hpZbGkfLNeAjnBFywnHeN768RIZvGxyS0ABtxU6D9LNLNlCrb4o555n4UFUwbfhN7KQni x4axdgoJoVbQsiEGkDTkTzXHJ9w+Pqn2HvKm2yB7hqL06uJWRghsGWU8qE1N2wRdqISc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Vn6A76jIN/EOiIeR7pp+d3gEolFTCB28j69mrgqm/dM=; b=kdHemEUH3yIX3FwUhi15030XY4 +BUt7ZIxD4WnFIMbn3TKVIvdiC+q8eylpzstwYpjoJOIgQJvDbd6V2DHS6re/GVS+05LExFng2SMG yFmnRTzNdswEkp38GRG9q3dvc9U6BGHpgdwFQNYQiaa2A9WpCjVPqooPriiPJ+p4i9xE=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1oJUWL-002rgm-Ki for openvpn-devel@lists.sourceforge.net; Thu, 04 Aug 2022 06:39:54 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Thu, 4 Aug 2022 08:40:16 +0200 Message-Id: <20220804064016.20414-1-a@unstable.cc> In-Reply-To: <20220719080715.1445-1-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: A server may push options that are not compatible with DCO. In this case we should log a message and bail out. Signed-off-by: Antonio Quartulli --- Changes from v3: * move pull-option-check to before opening the tun device, for earlier bail out * fix typ0 in error message (missing blank) Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1oJUWL-002rgm-Ki Subject: [Openvpn-devel] [PATCH v4 12/35] dco: check that pulled options are compatible X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox A server may push options that are not compatible with DCO. In this case we should log a message and bail out. Signed-off-by: Antonio Quartulli Acked-by: Gert Doering --- Changes from v3: * move pull-option-check to before opening the tun device, for earlier bail out * fix typ0 in error message (missing blank) Changes from v2: * split if condition on two lines Changes from v1: * move check_dco_pull_options() to dco.c (renamed to dco_check_pull_options()) * make options argument const * add msglevel as first argument --- src/openvpn/dco.c | 12 ++++++++++++ src/openvpn/dco.h | 17 +++++++++++++++++ src/openvpn/init.c | 9 +++++++++ 3 files changed, 38 insertions(+) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index b92a0e9c..8c22b7ea 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -370,4 +370,16 @@ dco_check_option_conflict(int msglevel, const struct options *o) return true; } +bool +dco_check_pull_options(int msglevel, const struct options *o) +{ + if (!o->use_peer_id) + { + msg(msglevel, "OPTIONS IMPORT: Server did not request DATA_V2 packet " + "format required for data channel offload"); + return false; + } + return true; +} + #endif /* defined(ENABLE_DCO) */ diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index b926e236..fbb35906 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -65,6 +65,17 @@ bool dco_available(int msglevel); */ bool dco_check_option_conflict(int msglevel, const struct options *o); +/** + * Check whether any of the options pushed by the server is not supported by + * our current dco implementation. If so print a warning at warning level + * for the first conflicting option found and return false. + * + * @param msglevel the msg level to use to print the warnings + * @param o the options struct that hold the options + * @return true if no conflict was detected, false otherwise + */ +bool dco_check_pull_options(int msglevel, const struct options *o); + /** * Initialize the DCO context * @@ -156,6 +167,12 @@ dco_check_option_conflict(int msglevel, const struct options *o) return false; } +static inline bool +dco_check_pull_options(int msglevel, const struct options *o) +{ + return false; +} + static inline bool ovpn_dco_init(int mode, dco_context_t *dco) { diff --git a/src/openvpn/init.c b/src/openvpn/init.c index de8faeb4..4423e162 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2382,6 +2382,15 @@ do_deferred_options(struct context *c, const unsigned int found) } } + /* Check if pushed options are compatible with DCO, if enabled */ + if (dco_enabled(&c->options) + && !dco_check_pull_options(D_TLS_ERRORS, &c->options)) + { + msg(D_TLS_ERRORS, "OPTIONS ERROR: pushed options are incompatible with " + "data channel offload. Use --disable-dco to connect to this server"); + return false; + } + return true; }