[Openvpn-devel] disable DCO if --secret is specified

Message ID	20221207100201.6467-1-a@unstable.cc
State	Accepted
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; From: Antonio Quartulli <a@unstable.cc> To: openvpn-devel@lists.sourceforge.net Date: Wed, 7 Dec 2022 11:02:01 +0100 Message-Id: <20221207100201.6467-1-a@unstable.cc> MIME-Version: 1.0 preview: P2P mode with pre-shared key is deprecated, unsecure and should NOT be used. This said we still carry it around for a bit and we have to make sure it does not fights with DCO. Disable DCO at all when --secret is specified. Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.3.242.97 listed in list.dnswl.org] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: unstable.cc] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Subject: [Openvpn-devel] [PATCH] disable DCO if --secret is specified Precedence: list Cc: Antonio Quartulli <a@unstable.cc> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel] disable DCO if --secret is specified \| expand [Openvpn-devel] disable DCO if --secret is specified

Message ID

20221207100201.6467-1-a@unstable.cc

State

Accepted

Headers

Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
From: Antonio Quartulli <a@unstable.cc>
To: openvpn-devel@lists.sourceforge.net
Date: Wed,  7 Dec 2022 11:02:01 +0100
Message-Id: <20221207100201.6467-1-a@unstable.cc>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH] disable DCO if --secret is specified
Precedence: list
Cc: Antonio Quartulli <a@unstable.cc>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel] disable DCO if --secret is specified | expand

Commit Message

Antonio Quartulli Dec. 7, 2022, 10:02 a.m. UTC

P2P mode with pre-shared key is deprecated, unsecure and should NOT be
used. This said we still carry it around for a bit and we have to make
sure it does not fights with DCO.

Disable DCO at all when --secret is specified.

Signed-off-by: Antonio Quartulli <a@unstable.cc>
---
 src/openvpn/dco.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Gert Doering Dec. 7, 2022, 12:03 p.m. UTC | #1

Acked-by: Gert Doering <gert@greenie.muc.de>

Nicely trivial, and gets the job done :-) - 

Dec  7 11:21:02 ubuntu2004 tun-udp-p2p[1139052]: --secret is set. Disabling data channel offload

.. and subsequently, tests succeed, and the instance does not crash
anymore.  Thanks.  (Tested only on the Linux/DCO Server + Client, because
the code path is irrelevant on non-DCO systems)

I have added "Github: OpenVPN/openvpn#188" to the commit message, as
discussed on IRC just now.

Your patch has been applied to the master and release/2.6 branch.

commit f5febf7f8998e425afb051cd6f965f4dd40b1659 (master)
commit 952a33a879ee106ee0877b872ad3d6c58983b521 (release/2.6)
Author: Antonio Quartulli
Date:   Wed Dec 7 11:02:01 2022 +0100

     disable DCO if --secret is specified

     Signed-off-by: Antonio Quartulli <a@unstable.cc>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20221207100201.6467-1-a@unstable.cc>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25629.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Arne Schwabe Dec. 7, 2022, 12:25 p.m. UTC | #2

Am 07.12.22 um 11:02 schrieb Antonio Quartulli:
> P2P mode with pre-shared key is deprecated, unsecure and should NOT be
> used. This said we still carry it around for a bit and we have to make
> sure it does not fights with DCO.
> 
> Disable DCO at all when --secret is specified.
> 
> Signed-off-by: Antonio Quartulli <a@unstable.cc>
> ---
>   src/openvpn/dco.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
> index d599dd7e..1cd698bf 100644
> --- a/src/openvpn/dco.c
> +++ b/src/openvpn/dco.c
> @@ -274,6 +274,12 @@ dco_check_startup_option(int msglevel, const struct options *o)
>           return false;
>       }
>   
> +    if (o->shared_secret_file)
> +    {
> +        msg(msglevel, "--secret is set. Disabling data channel offload");
> +        return false;
> +    }

I think you missing the mode when you have neither --secret nor any of 
the tls modes.

Arne

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index d599dd7e..1cd698bf 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -274,6 +274,12 @@  dco_check_startup_option(int msglevel, const struct options *o)
         return false;
     }
 
+    if (o->shared_secret_file)
+    {
+        msg(msglevel, "--secret is set. Disabling data channel offload");
+        return false;
+    }
+
     if (dev_type_enum(o->dev, o->dev_type) != DEV_TYPE_TUN)
     {
         msg(msglevel, "Note: dev-type not tun, disabling data channel offload.");

[Openvpn-devel] disable DCO if --secret is specified

Commit Message

Comments

Patch