A server may push options that are not compatible with DCO.
In this case we should log a message and bail out.
Signed-off-by: Antonio Quartulli <a...@unstable.cc>
---
src/openvpn/init.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b0a4b252..091cbd24 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2219,6 +2219,19 @@ do_deferred_p2p_ncp(struct context *c)
return true;
}
+
+static bool
+check_dco_pull_options(struct options *o)
+{
+ if (!o->use_peer_id)
+ {
+ msg(D_TLS_ERRORS, "OPTIONS IMPORT: Server did not request DATA_V2
packet "
+ "format required for data channel offload");
+ return false;
+ }
+ return true;
+}
+
/*
* Handle non-tun-related pulled options.
*/
@@ -2341,6 +2354,16 @@ finish_options(struct context *c)
return false;
}
+ /* Check if the pushed options are compatible with DCO if we have
+ * DCO enabled */
+ if (dco_enabled(&c->options) && !check_dco_pull_options(&c->options))
+ {
+ msg(D_TLS_ERRORS, "OPTIONS ERROR: pushed options are incompatible with
"
+ "data channel offload. Use --disable-dco to connect"
+ "to this server");
+ return false;
+ }
+
return true;
}
--
2.35.1
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
