From patchwork Sun Oct 22 08:27:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3402 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:baa3:b0:f2:62eb:61c1 with SMTP id dt35csp785117dyb; Sun, 22 Oct 2023 01:45:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGg6frzvyqChPzO0emmMTrqet5jN0dtQ1PUOTgw6yI9IhGeJf51SLFTC0QOLWxzyTxMSvko X-Received: by 2002:a17:902:e214:b0:1c6:2b3d:d918 with SMTP id u20-20020a170902e21400b001c62b3dd918mr6151512plb.3.1697964307775; Sun, 22 Oct 2023 01:45:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697964307; cv=none; d=google.com; s=arc-20160816; b=JYN+OQ+4zSveH7byR4PvL7U4w7yTahYiVzj/vfuabPo9I7SR062dtpROcZ3GSUMkh6 KWBy5Iq1czQ1lNsVr+gXNspV9qt7L2WerIa8rG2cARzu+pGXKQMKreD4Y1Az0iwzeNuz +Q2dZaZuzVPkMzxIMM8r4+Cz0Phq/b9lIuUYahEtYowCLMGo1agumugFbQTSnDm6ON8q 3pvyYA9jgJDt5HwXA1aobzCn9QF6PnM28k1vjwgdnjQ9vfR6zGtbVaZJVom9bbs4s2+R N2CN2ZmgfFj5cOHkilThHJUqRYP41NBh3nwkBzC3Dun6uYQVeF1cFbOzw3jyLke8ged9 CgZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=kym8QAVcQfj4/43KSCr8nb73NsSkj4jsPa4pFb353gI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=RMiH9p0ehyje2nELAzFlsiPZo2oGgZl0S28fFeUMbLLPscDty5kdaGp5fVahiV7Xbd ncxxO3hrGJxktYTiQxSQUlFDfSy61Q7Nx46jCZAz6pXZIr8Pswjgo+vrGgHrV2M8ctFR F7pDx0gkugJ8XARCe6GNmogaIqAtJ6LwMzK/jVz1S6IeRDnMJX/ZtgsayFbTGjCTp+yD m415wWYJ55DIU/YTsc/EZULGhyCGD60XC4wvvoTiJnCCK1uzMY7yMF35xKYJwKxmqdOp 980A6s3Y/5bzFRWSpO66SHYXC/X4PPwDDwcryzC80M5Lkkj6N16fVO6cRbbZgXnxg+H9 CpIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=A7Us6xbA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VhVNn1gl; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d4-20020a170902cec400b001ca22632ea7si4989983plg.213.2023.10.22.01.45.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Oct 2023 01:45:07 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=A7Us6xbA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VhVNn1gl; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1quU4E-0008H8-Mj; Sun, 22 Oct 2023 08:44:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1quU4C-0008G4-8O for openvpn-devel@lists.sourceforge.net; Sun, 22 Oct 2023 08:44:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=u98WfEk/Ea1cFiwdL/d3ZgnXHMYm/XtkUZ3Rv/k/zAE=; b=A7Us6xbAZZGOHP9flHwf6laphG lhZ8P5rYgnAtrZIRFreu5xWoUTGCFBrXfkK2KtK9GWVSPRu6mr/0QjnT85YpVBsAnX5QE0EonP4HJ WSpJTZy5TpuDSk5rF3jpC7uvJhGVA2yEWhQMAHTk0bCyrrHNDFQPoDijhreFXAHr+Ku0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=u98WfEk/Ea1cFiwdL/d3ZgnXHMYm/XtkUZ3Rv/k/zAE=; b=VhVNn1gl3jpbjQJUiFRSYbZtfx RZFAM2aSknmJF8YB/zu2xetH5AviYNZQH7Vy0KGtrleGm5+NCaDqiVkoqoI4TYnmHZ5+oO9cpsK27 TyE4TbMy0TQXulVZURO8jg0S6n4YGuhqCl7ohTywY57VvQBjzxG587xK33mGS63wddE0=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1quU47-005rqE-J3 for openvpn-devel@lists.sourceforge.net; Sun, 22 Oct 2023 08:44:11 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 39M8RvA4009057 for ; Sun, 22 Oct 2023 10:27:57 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 39M8RuPH009056 for openvpn-devel@lists.sourceforge.net; Sun, 22 Oct 2023 10:27:56 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sun, 22 Oct 2023 10:27:40 +0200 Message-ID: <20231022082751.8868-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers, but only send DATA_V1 packets. With DCO enabled on the client, connection is established but not working. This is because DCO driver(s) are unable to handle DATA_V1 packets and forwards them to userspace, where they silently disappear since crypto context is in DCO and not in userspace. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1quU47-005rqE-J3 Subject: [Openvpn-devel] [PATCH] dco: warn if DATA_V1 packets are sent to userspace X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1779184400865697767?= X-GMAIL-MSGID: =?utf-8?q?1780444621773041885?= From: Lev Stipakov Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers, but only send DATA_V1 packets. With DCO enabled on the client, connection is established but not working. This is because DCO driver(s) are unable to handle DATA_V1 packets and forwards them to userspace, where they silently disappear since crypto context is in DCO and not in userspace. Starting from 2.4.5 server sends DATA_V2 so problem doesn't happen. We cannot switch to non-DCO on the fly, so we log this and advice user to upgrade the server to 2.4.5 or newer. Github: fixes OpenVPN/openvpn#422 Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759 Signed-off-by: Lev Stipakov Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/368 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index d8ad0d1..40f21bc 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -1047,6 +1047,24 @@ if (c->c2.tls_multi) { + uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT; + + /* + * If DCO is enabled, the kernel drivers require that the + * other end only sends P_DATA_V2 packets. V1 are unknown + * to kernel and passed to userland, but we cannot handle them + * either because crypto context is missing - so drop the packet. + * + * This can only happen with particular old (2.4.0-2.4.4) servers. + */ + if ((opcode == P_DATA_V1) && dco_enabled(&c->options)) + { + msg(D_LINK_ERRORS, + "Data Channel Offload doesn't support DATA_V1 packets. " + "Upgrade your server to 2.4.5 or newer."); + c->c2.buf.len = 0; + } + /* * If tls_pre_decrypt returns true, it means the incoming * packet was a good TLS control channel packet. If so, TLS code @@ -1057,9 +1075,8 @@ * will load crypto_options with the correct encryption key * and return false. */ - uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT; - if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co, - floated, &ad_start)) + if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, + &co, floated, &ad_start)) { /* Restore pre-NCP frame parameters */ if (is_hard_reset_method2(opcode))