dco: warn if DATA_V1 packets are sent to userspace

Servers 2.4.0 - 2.4.4 support peer-id and AEAD ciphers, but only send DATA_V1 packets. With DCO enabled on the client, connection is established but not working. This is because DCO driver(s) are unable to handle DATA_V1 packets and forwards them to userspace, where they silently disappear since crypto context is in DCO and not in userspace. Starting from 2.4.5 server sends DATA_V2 so problem doesn't happen. We cannot switch to non-DCO on the fly, so we log this and advice user to upgrade the server to 2.4.5 or newer. Github: fixes #422 Change-Id: I8cb2cb083e3cdadf187b7874979d79af3974e759 Signed-off-by: Lev Stipakov <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg27272.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit df7beea)
OpenVPN · Oct 22, 2023 · e78f88d · e78f88d
1 parent 8bbc292
commit e78f88d
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
@@ -1047,6 +1047,24 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo
 
         if (c->c2.tls_multi)
         {
+            uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
+
+            /*
+             * If DCO is enabled, the kernel drivers require that the
+             * other end only sends P_DATA_V2 packets. V1 are unknown
+             * to kernel and passed to userland, but we cannot handle them
+             * either because crypto context is missing - so drop the packet.
+             *
+             * This can only happen with particular old (2.4.0-2.4.4) servers.
+             */
+            if ((opcode == P_DATA_V1) && dco_enabled(&c->options))
+            {
+                msg(D_LINK_ERRORS,
+                    "Data Channel Offload doesn't support DATA_V1 packets. "
+                    "Upgrade your server to 2.4.5 or newer.");
+                c->c2.buf.len = 0;
+            }
+
             /*
              * If tls_pre_decrypt returns true, it means the incoming
              * packet was a good TLS control channel packet.  If so, TLS code
@@ -1057,7 +1075,6 @@ process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, boo
              * will load crypto_options with the correct encryption key
              * and return false.
              */
-            uint8_t opcode = *BPTR(&c->c2.buf) >> P_OPCODE_SHIFT;
             if (tls_pre_decrypt(c->c2.tls_multi, &c->c2.from, &c->c2.buf, &co,
                                 floated, &ad_start))
             {