From patchwork Sun Oct 8 10:53:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3384 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:b412:b0:f2:62eb:61c1 with SMTP id dj18csp1445186dyb; Sun, 8 Oct 2023 03:54:27 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFDbmT/0MXKcAikht44MYYAjZrKM43B9vivfG8yRD439YYUMV5MKVRnG4x1m0FdwhjDs3AM X-Received: by 2002:a17:902:e5d2:b0:1c4:1cd3:8062 with SMTP id u18-20020a170902e5d200b001c41cd38062mr14627844plf.2.1696762467316; Sun, 08 Oct 2023 03:54:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696762467; cv=none; d=google.com; s=arc-20160816; b=MJ4u4hLa4XmpUFrgV5MZaVhU6t3AJWYD+N4E467PRf9K9Tg8cC4afDir+0SVkvx0pP K3Lhe3skyBKGUUT6NCURGIiIp/PwozZogGGL8q97y+/7K1v+2Nq0YwPBXIf/vXFKWQpL s5zFFPW8Sq1+gqjhTFyoOPcYycZ1WAxLr/pKuY1JKItqMXaR6rsyoqO7xSgoqIOyzn// 8VbQlxvw6v/WvS2O6yOsAZCO04r0aZ5pgqnA1Fd6YfesqDQrKjIOt0RU4Ie4z47a5pya UY/k7c5a0YNv69vHmhtT8DKogpNHeR6wBFuLzmt3+0xJswaoiSawJkoPiO0RQzM+EY58 6AhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=kA+JmIPUxCC7gRTtzjDP9MJN8lJR0w/YH+s/uKG9uzI=; fh=bPbV1ffll3/1Je7WaTIWZCP3p+G85pAR4TX4hG88AeA=; b=ir2vib2fwk057vp9OB9ivwNJ/trU6BhRSzZlg5/uIu7CHM3918QNyFCAjiTkU2qkJG DHgqf8upLauVtZVi9qli29XvqPo4iWqv53SakrAHAyWK9XQ96H1JDIOQ2UwbUgt9KNVG LACHPpgDYIaGWP1kdGbLB4a+83eBg3XspbI8d4Ujr3AqMJXYjnbNbYLbD0i+B4pBz3gM tfxsYksSqBnrsfvL9S/O9VsQsrMfpTckBgfsq1L99ZvjYtqcDUpbDtzpV3e3uP/0nRTv Y0aoEUAahXgYSfn4IU/gR4SS4mvJzEKdXejjGmfSNzCyJ9C+Xy6A1zNSDBQth0YJbn4g zHCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ZuWjKsLH; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jOMyaNH8; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=ik1hbam2; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id y15-20020a17090264cf00b001c725e4ae5csi7146211pli.589.2023.10.08.03.54.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 08 Oct 2023 03:54:27 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ZuWjKsLH; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=jOMyaNH8; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=ik1hbam2; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qpRPi-0007aH-Fs; Sun, 08 Oct 2023 10:53:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qpRPh-0007aA-4l for openvpn-devel@lists.sourceforge.net; Sun, 08 Oct 2023 10:53:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=rh1UEoD6gvjlIwfiFvqG0V7FjZ+hwrIKl5JfHMKHauU=; b=ZuWjKsLHdLaqKfqfHgs0JTthsU F0+XCxJEkteo87PYdRa04D4T5wP8d7M8Xwh64HfqBdlg2lllwk4LxuzalQhB9yQW6tP2x31FU3vc2 Q07gwwAmPV0OPeT5Wqec01zpXMNiRav7e9Fo9qqLPKtPZssC4+7I1ZrpzwU8GZ9Iuu4g=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=rh1UEoD6gvjlIwfiFvqG0V7FjZ+hwrIKl5JfHMKHauU=; b=jOMyaNH8UGvZ5hWvnBviVApUkx T7Y/okoL1op8b3Ps238bH7zSGUgKpeYPpNUea87QQX0W5lqOD8N3LAk5Jb/eWvIMhP65wao7nmpw/ yvSIRlP9TbpqcjXUfJLnJfBtiPGddTZqwxlZD0rfRsTmqm4yOg6Tbc7YJey1PyvHIK0Q=; Received: from mout-p-202.mailbox.org ([80.241.56.172]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1qpRPd-0072jO-Qv for openvpn-devel@lists.sourceforge.net; Sun, 08 Oct 2023 10:53:31 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4S3Jt61ZWLz9sc3; Sun, 8 Oct 2023 12:53:18 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1696762398; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rh1UEoD6gvjlIwfiFvqG0V7FjZ+hwrIKl5JfHMKHauU=; b=ik1hbam2RCyF6/zMAIaVk7I069CvZl5VFW81Ct7UZYq16K844a3AMNLhQPOAgvMAIt5OPD QPTkKusHwPyHiR/4gxZgczx5RkbsT3/t6A5aE4cn4ZW6OiENsJFrbr2T+CSOj2hBpKqw4o weZ7LXqE/eks/u3KOxURWl7QLOvSXFP+847UbYeiiFH+5HggWjkPP3irhDiHoMSGOXSs0w ZqGjdMwz4cKgQNV7otuqFnDK8esoD1NJ4NWPGhFk6ew+1woVXkie4J4U/+pSf7p7jTLJF5 k2jZPfUh8csU14drMk4JuPdEj6H9rjH2qYe/ovj3pVR4k+eeqRXt2Uy6eFyeVw== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Sun, 8 Oct 2023 12:53:16 +0200 Message-Id: <20231008105316.21010-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4S3Jt61ZWLz9sc3 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers, but only send DATA_V1 packets. With DCO enabled on the client, connection is established but not working. This is because DCO driver(s) are unable to handle DATA_V1 packets and forwards them to userspace, where they silently disappear since crypto context is in DCO and not in userspace. Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.172 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1qpRPd-0072jO-Qv Subject: [Openvpn-devel] [PATCH] dco: warn if DATA_V1 packets are sent to userspace X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov , Arne Schwabe Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1779184400865697767?= X-GMAIL-MSGID: =?utf-8?q?1779184400865697767?= From: Lev Stipakov Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers, but only send DATA_V1 packets. With DCO enabled on the client, connection is established but not working. This is because DCO driver(s) are unable to handle DATA_V1 packets and forwards them to userspace, where they silently disappear since crypto context is in DCO and not in userspace. Starting from 2.4.5 server sends DATA_V2 so problem doesn't happen. We cannot switch to non-DCO on the fly, so we log this and advice user to upgrade the server to 2.4.5 or newer. This fixes https://github.com/OpenVPN/openvpn/issues/422 Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759 Signed-off-by: Lev Stipakov Acked-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/368 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe Frank Lichtenheld diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index d8ad0d1..66843b4 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1058,8 +1058,16 @@ * and return false. */ uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT; - if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, - floated, &ad_start)) + + if ((opcode == P_DATA_V1) && dco_enabled(&c->options)) + { + msg(D_LINK_ERRORS, + "Data Channel Offload doesn't support DATA_V1 packets. " + "Upgrade your server to 2.4.5 or newer."); + c->c2.buf.len = 0; + } + else if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, + &co, floated, &ad_start)) { /* Restore pre-NCP frame parameters */ if (is_hard_reset_method2(opcode))