Attention is currently required from: flichtenheld, plaisthos, stipa.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/368?usp=email
to look at the new patch set (#2).
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld, Code-Review+2 by plaisthos
The change is no longer submittable: Code-Review and checks~ChecksSubmitRule
are unsatisfied now.
Change subject: dco: warn if DATA_V1 packets are sent to userspace
......................................................................
dco: warn if DATA_V1 packets are sent to userspace
Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers,
but only send DATA_V1 packets. With DCO enabled on the
client, connection is established but not working.
This is because DCO driver(s) are unable to handle
DATA_V1 packets and forwards them to userspace, where
they silently disappear since crypto context is in
DCO and not in userspace.
Starting from 2.4.5 server sends DATA_V2 so problem
doesn't happen.
We cannot switch to non-DCO on the fly, so we log this
and advice user to upgrade the server to 2.4.5 or newer.
This fixes https://github.com/OpenVPN/openvpn/issues/422
Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759
Signed-off-by: Lev Stipakov <[email protected]>
---
M src/openvpn/forward.c
1 file changed, 20 insertions(+), 3 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/68/368/2
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index d8ad0d1..40f21bc 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -1047,6 +1047,24 @@
if (c->c2.tls_multi)
{
+ uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
+
+ /*
+ * If DCO is enabled, the kernel drivers require that the
+ * other end only sends P_DATA_V2 packets. V1 are unknown
+ * to kernel and passed to userland, but we cannot handle them
+ * either because crypto context is missing - so drop the packet.
+ *
+ * This can only happen with particular old (2.4.0-2.4.4) servers.
+ */
+ if ((opcode == P_DATA_V1) && dco_enabled(&c->options))
+ {
+ msg(D_LINK_ERRORS,
+ "Data Channel Offload doesn't support DATA_V1 packets. "
+ "Upgrade your server to 2.4.5 or newer.");
+ c->c2.buf.len = 0;
+ }
+
/*
* If tls_pre_decrypt returns true, it means the incoming
* packet was a good TLS control channel packet. If so, TLS code
@@ -1057,9 +1075,8 @@
* will load crypto_options with the correct encryption key
* and return false.
*/
- uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
- if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
- floated, &ad_start))
+ if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf,
+ &co, floated, &ad_start))
{
/* Restore pre-NCP frame parameters */
if (is_hard_reset_method2(opcode))
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/368?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: release/2.6
Gerrit-Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759
Gerrit-Change-Number: 368
Gerrit-PatchSet: 2
Gerrit-Owner: stipa <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
Gerrit-Attention: stipa <[email protected]>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
