Message ID | 20231022082751.8868-1-gert@greenie.muc.de |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel] dco: warn if DATA_V1 packets are sent to userspace | expand |
This is actually "V3" of the patch, but I forgot to add the -v3 when sending from gerrit to the list. The change is basically the same as in v1, just leaving the "real" code alone, defusing it by setting c->c2.buf.len = 0 in the new branch. Plus comments :-) As in v1, this adds diagnostics to detect a non-fixable incompatibility between 2.4.0-2.4.4 servers and DCO-enabled clients (it can only be fixed by upgrading the server, not by a code change on the client side, or by disabling DCO on the client - but neither can be done automatically). Tested on the server testbed, which has DCO and no-DCO peers, V1 and V2, which should trigger "false alarms" nicely. Your patch has been applied to the master and release/2.6 branch (compat). commit df7beea404df48745a608c584d863c5a377b7a1e (master) commit e78f88d8ea113585ca16945ef0361710b838ec7d (HEAD -> release/2.6) Author: Lev Stipakov Date: Sun Oct 22 10:27:40 2023 +0200 dco: warn if DATA_V1 packets are sent to userspace Signed-off-by: Lev Stipakov <lev@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20231022082751.8868-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27272.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index d8ad0d1..40f21bc 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1047,6 +1047,24 @@ if (c->c2.tls_multi) { + uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT; + + /* + * If DCO is enabled, the kernel drivers require that the + * other end only sends P_DATA_V2 packets. V1 are unknown + * to kernel and passed to userland, but we cannot handle them + * either because crypto context is missing - so drop the packet. + * + * This can only happen with particular old (2.4.0-2.4.4) servers. + */ + if ((opcode == P_DATA_V1) && dco_enabled(&c->options)) + { + msg(D_LINK_ERRORS, + "Data Channel Offload doesn't support DATA_V1 packets. " + "Upgrade your server to 2.4.5 or newer."); + c->c2.buf.len = 0; + } + /* * If tls_pre_decrypt returns true, it means the incoming * packet was a good TLS control channel packet. If so, TLS code @@ -1057,9 +1075,8 @@ * will load crypto_options with the correct encryption key * and return false. */ - uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT; - if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, - floated, &ad_start)) + if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, + &co, floated, &ad_start)) { /* Restore pre-NCP frame parameters */ if (is_hard_reset_method2(opcode))