Skip to content

Commit

Permalink
dco: warn if DATA_V1 packets are sent to userspace
Browse files Browse the repository at this point in the history
Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers,
but only send DATA_V1 packets. With DCO enabled on the
client, connection is established but not working.

This is because DCO driver(s) are unable to handle
DATA_V1 packets and forwards them to userspace, where
they silently disappear since crypto context is in
DCO and not in userspace.

Starting from 2.4.5 server sends DATA_V2 so problem
doesn't happen.

We cannot switch to non-DCO on the fly, so we log this
and advice user to upgrade the server to 2.4.5 or newer.

Github: fixes #422

Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759
Signed-off-by: Lev Stipakov <[email protected]>
Acked-by: Gert Doering <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg27272.html
Signed-off-by: Gert Doering <[email protected]>
  • Loading branch information
lstipakov authored and cron2 committed Oct 22, 2023
1 parent 0068542 commit df7beea
Showing 1 changed file with 18 additions and 1 deletion.
19 changes: 18 additions & 1 deletion src/openvpn/forward.c
Original file line number Diff line number Diff line change
Expand Up @@ -1047,6 +1047,24 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo

if (c->c2.tls_multi)
{
uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;

/*
* If DCO is enabled, the kernel drivers require that the
* other end only sends P_DATA_V2 packets. V1 are unknown
* to kernel and passed to userland, but we cannot handle them
* either because crypto context is missing - so drop the packet.
*
* This can only happen with particular old (2.4.0-2.4.4) servers.
*/
if ((opcode == P_DATA_V1) && dco_enabled(&c->options))
{
msg(D_LINK_ERRORS,
"Data Channel Offload doesn't support DATA_V1 packets. "
"Upgrade your server to 2.4.5 or newer.");
c->c2.buf.len = 0;
}

/*
* If tls_pre_decrypt returns true, it means the incoming
* packet was a good TLS control channel packet. If so, TLS code
Expand All @@ -1057,7 +1075,6 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo
* will load crypto_options with the correct encryption key
* and return false.
*/
uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
floated, &ad_start))
{
Expand Down

0 comments on commit df7beea

Please sign in to comment.